Career Employer

FREE CGRC Study Guide 2026: All 7 Domains

The most important things the CGRC tests — an interactive study guide built on the NIST RMF, with quizzes and flashcards, organized by all 7 ISC2 domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CGRC

By

This free CGRC study guide walks through every content domain the Certified in Governance, Risk and Compliance exam tests, organized to the current ISC2 exam outline (effective June 15, 2024).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

CGRC is the cert formerly known as CAP (Certified Authorization Professional), and the whole exam is built on the NIST Risk Management Framework. The seven official domains map almost one-to-one to the seven RMF steps, so we teach one module per domain, following the RMF lifecycle from program setup through monitoring.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full RMF reference manual.

CGRC is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.

CGRC Exam Snapshot

CGRC exam at a glance
DetailCGRC Exam
Questions125 items (100 scored + 25 unscored pretest)
FormatLinear, fixed-form (not adaptive); multiple choice + advanced items
Time3 hours
Passing score700 out of 1000 (scaled)
Administered byISC2, delivered at Pearson VUE
Certifying bodyISC2 (formerly (ISC)²)
Formerly known asCAP — Certified Authorization Professional
Eligibility2 years' experience in 1+ CGRC domain; or Associate of ISC2
Cost$249 USD (Americas)
RecertificationEvery 3 years — 60 CPE credits + $135 annual maintenance fee
Outline versionEffective June 15, 2024

The CGRC is narrow but deep: instead of broad security breadth, it tests one thing thoroughly — the lifecycle for authorizing and maintaining a system. Implementation of Controls is the heaviest domain at 17%, and Domains 1, 4, and 5 together are about half the exam.[1] Study by the lifecycle:

CGRC weighting by domain (ISC2 exam outline, June 2024)
Implementation of Controls17% · Domain 4
GRC & Compliance Program16% · Domain 1
Assessment/Audit of Controls16% · Domain 5
Selection & Approval of Controls14% · Domain 3
System Compliance (Authorize)14% · Domain 6
Compliance Maintenance (Monitor)13% · Domain 7
Scope of the System10% · Domain 2

Because the domains follow the RMF, the cleanest way to learn CGRC is to learn the framework itself. Here are the seven RMF steps and the domain each one maps to — this single diagram is the spine of the whole exam:

Module 1 · GRC, Risk Management & Compliance Program

One official domain, 16% of the exam. This domain is the foundation: what governance, risk, and compliance mean, the frameworks and laws a CGRC professional works within, and how the RMF organizes risk management across a system’s life. It corresponds to the RMF step.

1.1 Governance, Risk & Compliance Principles

ties three disciplines together. Governance sets direction and accountability through policy, oversight, and roles.

Risk management identifies, assesses, and treats risk to the organization’s mission. Compliance ensures the organization meets its legal, regulatory, and contractual obligations. The CGRC tests how you use frameworks to align all three so a system can be authorized and kept compliant.[1]

Security rests on the classic objectives — confidentiality, integrity, and availability — plus non-repudiation and, increasingly, privacy, which the 2024 outline weaves throughout. Governance flows top-down: senior management owns risk and sets the tone, and the policy hierarchy runs policy → standard → procedure → guideline.

The three pillars of GRC
PillarWhat it doesExample artifact
GovernanceSets direction, accountability, and oversightSecurity policy, risk strategy, roles
Risk managementIdentifies, assesses, and treats risk to the missionRisk assessment, risk register, POA&M
ComplianceMeets legal, regulatory, and contractual dutiesFISMA/HIPAA/GDPR mapping, audit evidence

1.2 Frameworks, Standards & Laws

CGRC is built on the NIST RMF, but the 2024 outline explicitly broadened to other frameworks — and a favorite question type asks you to pick the right framework for a purpose. Know what each is for:

Frameworks and laws in scope — match each to its purpose
Framework / lawPurpose
NIST RMF (SP 800-37)Lifecycle for authorizing and managing system risk (the spine of CGRC)
NIST CSFVoluntary framework to manage and reduce cybersecurity risk
ISO/IEC 27001Information security management system (ISMS)
ISO 31000Enterprise / organizational risk management
COBITIT governance aligned to business objectives
FedRAMPStandardized authorization for cloud services used by U.S. federal agencies
PCI-DSSProtecting payment-card data
CMMCCybersecurity maturity for the U.S. defense industrial base
FISMA / HIPAA / GDPRLaws driving federal, healthcare, and EU privacy compliance

1.3 Risk Management & the RMF Lifecycle

Risk is the chance a threat exploits a vulnerability to harm an asset. You assess it two ways. Qualitative analysis is subjective — ranking risks high/medium/low. Quantitative analysis is dollar-based: = Asset Value × Exposure Factor, and = SLE × ARO is the expected yearly cost — the basis for deciding whether a control is worth its cost.[10]

You then pick a : mitigate (add controls), transfer/share (insurance or a third party), avoid (stop the activity), or accept (formally tolerate it). Whatever you choose, remains — risk is never fully eliminated, and transferring the financial impact never transfers your accountability.

Checkpoint · GRC & Risk Management Program

Question 1 of 10

Which document establishes the organization-wide risk management strategy, including risk tolerance and risk appetite, that guides all RMF activities?

Module 2 · Scope of the System

One official domain, 10% of the exam — the lightest, but it feeds everything downstream. This domain is the RMF step: define exactly what the system is, what information it handles, and how much impact a compromise would have. Get categorization wrong and every later decision is wrong.

2.1 System Boundary & Information Types

First you define the — everything included in the system for authorization: its people, processes, hardware, software, information, and the connections it depends on. Then you identify the the system handles (financial, medical, investigative, and so on), because each type carries its own impact. Drawing the boundary correctly matters: too broad inflates cost and complexity, too narrow leaves real risk unaddressed.

2.2 FIPS 199 Categorization & the High-Water Mark

categorizes the potential impact of a system — Low, Moderate, or High — separately for confidentiality, integrity, and availability. The overall system categorization uses the : it takes the highest of the three ratings, never the average or the sum.[4] NIST SP 800-60 helps map information types to provisional impact levels.

FIPS 199 impact levels
Impact levelMeaning if compromised
LowLimited adverse effect on operations, assets, or individuals
ModerateSerious adverse effect
HighSevere or catastrophic adverse effect

Checkpoint · Scope of the System

Question 1 of 10

Which step of the RMF is responsible for determining the categorization of an information system based on impact?

Module 3 · Selection & Approval of Controls

One official domain, 14% of the exam. This is the RMF Selectstep: starting from the system’s categorization, choose and tailor the right set of security and privacy controls.

3.1 Baselines, Tailoring & Control Types

The flow is mechanical and heavily tested: categorization → minimum requirements → pick the matching (Low, Moderate, or High) from it to the system. The baseline is a starting point, not a fixed minimum.[7]

NIST SP 800-53 organizes controls into 20 families(such as AC Access Control, AU Audit, and SC System & Communications Protection). By implementer, controls are , , , or (inherited).

Approximate control counts by baseline (SP 800-53B)
BaselineSystem categoryApprox. controls
LowLow-impact system~150
ModerateModerate-impact system~300
HighHigh-impact system~390

3.2 Inherited, Compensating & Overlay Controls

A is provided once at the organization level and inherited by many systems — the data center’s physical security, an enterprise identity service. A is an alternative used when a baseline control isn’t feasible, providing equivalent protection (and documented as such). An is a tailored, fully specified set of adjustments for a community, technology, or mission — for example a privacy or cloud overlay.

Control tailoring options
OptionWhen you use it
Inherit a common controlA control is provided org-wide and applies to your system
Apply a compensating controlThe baseline control is not feasible; an equivalent safeguard is used
Apply an overlayA community/tech/mission needs a standard set of adjustments
Scope out a controlThe control genuinely does not apply to the system

Checkpoint · Selection & Approval of Controls

Question 1 of 10

Which of the following best defines the 'security control baseline'?

Module 4 · Implementation of Controls

One official domain, 17% of the exam — the heaviest. This is the RMF Implement step: actually deploy the selected controls and document exactly how each one is implemented.

4.1 Implementation Strategy & the SSP

Implementation starts with a strategy — resourcing, funding, timeline, and how effectiveness will be measured — and ends with controls deployed and documented in the . The SSP is the master document: it describes the system, its boundary and environment, and how every selected control is implemented. The develops and maintains it, and it becomes the core of the authorization package.[3]

4.2 Control Types & Documentation

Knowing the type of a control helps assign responsibility and pick the right safeguard. By implementer: (policy, planning, risk assessment), (people and procedures — training, incident response), (technology-enforced — encryption, access control), and (inherited). By function, controls are also called preventive, detective, corrective, deterrent, recovery, and compensating.

Control types by who or what implements them
TypeImplemented byExample
ManagementPolicy, planning, governanceRisk assessment, security planning
OperationalPeople and proceduresSecurity awareness training, incident response
TechnicalTechnology / the systemEncryption, access control, audit logging
CommonThe organization (inherited)Data-center physical security, enterprise IAM

Checkpoint · Implementation of Controls

Question 1 of 10

What is the primary objective of the Implement step in the RMF?

Module 5 · Assessment/Audit of Controls

One official domain, 16% of the exam. This is the RMF Assess step: determine whether the controls are implemented correctly, operating as intended, and producing the desired result — then report findings and respond to risk.

5.1 Assessment Planning & Methods

Assessment begins with a that defines scope, roles, evidence, and procedures, and it is performed by an independent . SP 800-53A defines three : Examine (review documents and configurations), Interview (talk to the people who run the control), and Test (exercise the control, e.g., a vulnerability scan or penetration test).[8]

The three assessment methods (SP 800-53A)
MethodWhat the assessor doesExample
ExamineReviews documents, policies, and configurationsRead the SSP and access-control settings
InterviewQuestions the people who operate the controlAsk staff how they handle incidents
TestExercises the control to see how it behavesRun a vulnerability scan or penetration test

5.2 The SAR, Risk Response & POA&M

Findings go into the , which marks each control satisfied, other-than-satisfied, or not applicable. For each unresolved weakness the organization chooses a — avoid, accept, mitigate, or transfer/share — and records the remaining gaps in the , with a remediation plan, owner, resources, and target dates.

SAR finding statuses and what happens next
SAR statusMeaningNext step
SatisfiedThe control works as intendedNo action needed
Other-than-satisfiedThe control has a weakness or gapAdd to the POA&M with a remediation plan
Not applicableThe control does not apply to the systemDocument the justification

Checkpoint · Assessment/Audit of Controls

Question 1 of 10

What is the main goal of the Assess step in the RMF?

Module 6 · System Compliance (Authorization)

One official domain, 14% of the exam. This is the RMF Authorizestep: package the evidence, determine residual risk, and get a senior official’s formal, risk-based decision on whether the system may operate.

6.1 The Authorization Package & Roles

The is the bundle the reviews — the , the , and the . Memorize those three. The roles are heavily tested through scenarios — know who does what:

Who owns which authorization document
DocumentOwnerRMF step
System Security Plan (SSP)System OwnerImplement
Security Assessment Report (SAR)Security Control Assessor (SCA)Assess
Plan of Action & Milestones (POA&M)System OwnerAssess → Monitor
Authorization to Operate (ATO)Authorizing Official (AO)Authorize

6.2 ATO, DATO & Risk Acceptance

The AO weighs against the mission and makes a risk-based decision: grant an , grant an ATO with conditions, or issue a . An is different — it authorizes testing in an operational environment during development, not production operation.

Authorization decision types
DecisionWhat it means
ATOFull authorization to operate; the AO accepts the residual risk
ATO with conditionsOperate, but specific weaknesses must be remediated on a schedule
DATODenial — the risk is unacceptable; the system may not operate
IATTInterim Authority to Test — testing only, not production operation

Checkpoint · System Compliance (Authorization)

Question 1 of 10

What is the main deliverable that an Authorizing Official reviews to make the authorization decision?

Module 7 · Compliance Maintenance (Monitoring)

One official domain, 13% of the exam. This is the RMF Monitor step: an ATO is not the finish line. You keep the system compliant over time through continuous monitoring, change management, and — eventually — secure decommissioning.

7.1 Continuous Monitoring (ISCM)

(NIST SP 800-137) is ongoing awareness of security, vulnerabilities, and threats so risk decisions stay current. After authorization the organization keeps assessing control effectiveness, tracking changes, and reporting — feeding rather than treating the ATO as a one-time event.[9] An effective ISCM strategy defines what to monitor, how often, and the metrics that trigger action.

7.2 Change Management & Decommissioning

is the controlled process for evaluating, approving, implementing, and tracking changes to an authorized system. A proposed change gets a , goes through a change control board (CCB) for approval, and is documented — with a rollback plan if it fails.

A significant change can trigger reassessment and even reauthorization. At end of life, securely retires the system, including sanitizing media and updating documentation.

The change-management flow
StepWhat happens
RequestA change is proposed and recorded
Security impact analysisEvaluate how the change affects the system's security state
CCB approvalThe change control board approves, defers, or rejects
Implement & documentApply the change (with a rollback plan) and update the SSP
Reassess if significantA significant change can trigger reassessment / reauthorization

Checkpoint · Compliance Maintenance (Monitoring)

Question 1 of 10

Ongoing authorization (as opposed to periodic reauthorization) relies most heavily on what?

How to Use This CGRC Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Learn the RMF first. The seven steps — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — are the spine. Master the order and what each step produces and the exam falls into place.
  • Prioritize by weight. Implementation (17%), the GRC program (16%), and Assessment (16%) together are about half the exam — but Scope (10%) is the foundation, so don’t skip it.
  • Think governance, not gadgets. CGRC asks for the best action — usually assess, document, or get the right approval — not the flashiest technical fix.
  • Memorize the roles and documents. Know who owns the SSP, SAR, POA&M, and ATO, and the rule that the SCA assesses while the AO accepts.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint, then drill. Send weak domains into the flashcards and a practice test until your score climbs comfortably above 700.

CGRC Concept Questions

Common CGRC concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CGRC Glossary

The high-yield CGRC terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Annualized Loss Expectancy (ALE)
The expected yearly cost of a risk: ALE = SLE × ARO; used to cost-justify controls.
AO Designated Representative (AODR)
Coordinates the authorization process day to day but cannot make or sign the authorization decision.
Assessment method
How a control is evaluated under SP 800-53A: Examine, Interview, or Test.
Authorization boundary
Everything included in a system for authorization — the people, processes, hardware, software, information, and connections it depends on.
Authorization package
The SSP, SAR, and POA&M submitted to the Authorizing Official for the authorization decision.
Authorization to Operate (ATO)
The Authorizing Official's formal decision to operate a system and accept its residual risk.
Authorizing Official (AO)
The senior official who accepts residual risk and signs the ATO; the only role that can authorize a system.
Categorize
The RMF step that determines the system's impact level (Low/Moderate/High) on confidentiality, integrity, and availability using FIPS 199.
Change management
The controlled process of evaluating, approving, implementing, and tracking changes to an authorized system.
Common control
A control provided once at the organization or enclave level and inherited by many systems (e.g., data-center physical security).
Common Control Provider
The entity that supplies inherited common controls used across many systems.
Compensating control
An alternative safeguard used when a baseline control is not feasible, providing equivalent protection.
Continuous monitoring (ISCM)
Ongoing awareness of security, vulnerabilities, and threats so risk decisions stay current (NIST SP 800-137).
Control baseline
A predefined starting set of controls (Low, Moderate, or High) defined in NIST SP 800-53B and selected from the system's categorization.
Decommissioning
Securely retiring a system at end of life, including sanitizing media and updating documentation.
Denial of Authorization (DATO)
A decision that a system's risk is unacceptable and it may not operate.
FIPS 199
The federal standard for categorizing the potential impact (Low/Moderate/High) of a system on each security objective.
FIPS 200
The federal standard that sets the minimum security requirements corresponding to a system's impact level.
Governance, Risk, and Compliance (GRC)
The integrated discipline of directing an organization (governance), managing its risk, and meeting its legal and regulatory obligations (compliance).
High-water mark
The rule that a system's overall categorization equals the highest impact level across confidentiality, integrity, and availability — never the average.
IATT
Interim Authority to Test — permission to operate a system in a test environment, not in production.
Information System Security Officer (ISSO)
The role responsible for the day-to-day operational security posture of a system.
Information type
A category of information (e.g., financial, medical, investigative) with its own confidentiality, integrity, and availability impact.
Management control
A control implemented through policy, planning, and risk management (e.g., a risk assessment).
NIST SP 800-137
The publication that defines Information Security Continuous Monitoring (ISCM).
NIST SP 800-37
The publication that defines the Risk Management Framework (Rev. 2 has seven steps).
NIST SP 800-53
The catalog of security and privacy controls, organized into 20 control families.
Ongoing authorization
Keeping authorization current through continuous monitoring rather than periodic point-in-time reauthorization.
Operational control
A control executed primarily by people and procedures (e.g., security awareness training, incident response).
Overlay
A fully specified set of control adjustments tailored to a specific community, technology, or mission (e.g., privacy or cloud).
Plan of Action and Milestones (POA&M)
The document tracking unresolved weaknesses, the remediation plan, the responsible party, and target dates.
Prepare
The RMF step (added in Rev. 2) that establishes context, roles, risk tolerance, an organization-wide risk strategy, and common controls before authorization work begins.
Residual risk
The risk that remains after controls are applied; the Authorizing Official formally accepts it.
Risk Management Framework (RMF)
NIST's seven-step process (SP 800-37 Rev. 2) for managing information security and privacy risk across a system's life cycle.
Risk response
The chosen way to treat a risk: avoid, accept, mitigate (reduce), or transfer/share.
RMF steps
The seven steps of the RMF: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
Security Assessment Plan (SAP)
The plan that defines the scope, roles, and procedures for assessing a system's controls.
Security Assessment Report (SAR)
The report of assessment findings, marking each control satisfied, other-than-satisfied, or not applicable.
Security control
A safeguard or countermeasure that protects the confidentiality, integrity, and availability of a system and its information.
Security Control Assessor (SCA)
The role that independently assesses and tests controls and writes the SAR; independent of the System Owner.
Security impact analysis
An evaluation of how a proposed change affects the security state of a system before it is approved.
Single Loss Expectancy (SLE)
The expected monetary loss from a single risk event: SLE = Asset Value × Exposure Factor.
System Owner
The official responsible for a system who develops the SSP, owns the POA&M, and submits the authorization package.
System Security Plan (SSP)
The master document describing the system, its boundary, and how every selected control is implemented; owned by the System Owner.
Tailoring
Adjusting a control baseline to a specific system — scoping, parameterizing, supplementing, and applying overlays or compensating controls.
Technical control
A control enforced by technology (e.g., encryption, access control, audit logging).

CGRC Study Guide FAQ

The CGRC exam has 125 questions — 100 scored plus 25 unscored pretest items — and you get 3 hours. It is a linear, fixed-form exam (not adaptive), delivered in English at Pearson VUE test centers, with multiple-choice and advanced item types.

References

  1. 1.ISC2. “CGRC Certification Exam Outline (effective June 15, 2024).” isc2.org.
  2. 2.ISC2. “CGRC — Certified in Governance, Risk and Compliance.” isc2.org.
  3. 3.National Institute of Standards and Technology. “SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations.” csrc.nist.gov.
  4. 4.National Institute of Standards and Technology. “FIPS 199: Standards for Security Categorization of Federal Information and Information Systems.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “FIPS 200: Minimum Security Requirements for Federal Information and Information Systems.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  7. 7.National Institute of Standards and Technology. “SP 800-53B: Control Baselines for Information Systems and Organizations.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-53A Rev. 5: Assessing Security and Privacy Controls.” csrc.nist.gov.
  9. 9.National Institute of Standards and Technology. “SP 800-137: Information Security Continuous Monitoring (ISCM).” csrc.nist.gov.
  10. 10.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.