ISC2 CGRC PRACTICE TEST QUESTIONS 2026-2027
NEWEST EXAM | ALL QUESTIONS AND CORRECT
ANSWERS WITH EXPLANATIONS | GRADED A+ |
VERIFIED ANSWERS | JUST RELEASED VERSION A
In accordance with Public Law 107-347, Executive Agencies must:
a. Use NIACAP for C&A of National Security Systems
b. Ensure security controls reduce risk
c. Authorize system processing prior to operation
d. Authorize systems each year to meet SP 800-37 Rev 1 Standards
Authorize system processing prior to operation
Adequate Security is:
a. Based on the maximum harm to information
b. Commensurate with risk
c. Required by law regardless of cost
d. Cost effective, based on projected budgets
Commensurate with risk
,In the Risk Management Framework as described in NIST SP 800-37 Rev 1,
which task follows the task called "Information System Description"?
a. Information System Registration
b. Security Categorization
c. Security Control Selection
d. Security Control Implementation
Information System Registration
Which role has PRIMARY responsibility for ongoing remediation actions?
a. Security Control Assessor
b. Information System Security Officer
c. Authorizing Official
d. Information System Owner
Information System Owner
Security Control Assessment tries to determine if the controls are
a. Selected from NIST SP 800-53
b. In compliance with NIST SP 800-37 Rev 1
c. Producing the desired results
d. Meeting the requirements from the Information Management Model
(IMM)
Producing the desired results
, . Which of the following terms are used in NIST SP 800-60 to describe
information that would have a serious impact on the operation of the
organization if confidentiality were breached?
a. Moderate because it concerns Confidentiality
b. High because it concerns Personally Identifiable Information (Pll)
c. Moderate because it concerns data sensitivity
d. High because it concerns Confidentiality
Moderate because it concerns Confidentiality
What is the minimum frequency periodic testing and evaluation of the
effectiveness of policies should be done?
a. Quarterly in accordance with (IAW) FISMA
b. Every three years IAW OMB A-130
c. Whenever the System Authorization process is ongoing
d. Annually
Annually
Which of the following is NOT required to be part of the System Security
Plan (SSP) as described in NIST SP 800-37 Rev 1?
a. Incident Response Plan
b. SCP/Continuity of Operations Plan
c. Security Awareness Plan
d. Privacy Impact Assessment
Security Awareness Plan
NEWEST EXAM | ALL QUESTIONS AND CORRECT
ANSWERS WITH EXPLANATIONS | GRADED A+ |
VERIFIED ANSWERS | JUST RELEASED VERSION A
In accordance with Public Law 107-347, Executive Agencies must:
a. Use NIACAP for C&A of National Security Systems
b. Ensure security controls reduce risk
c. Authorize system processing prior to operation
d. Authorize systems each year to meet SP 800-37 Rev 1 Standards
Authorize system processing prior to operation
Adequate Security is:
a. Based on the maximum harm to information
b. Commensurate with risk
c. Required by law regardless of cost
d. Cost effective, based on projected budgets
Commensurate with risk
,In the Risk Management Framework as described in NIST SP 800-37 Rev 1,
which task follows the task called "Information System Description"?
a. Information System Registration
b. Security Categorization
c. Security Control Selection
d. Security Control Implementation
Information System Registration
Which role has PRIMARY responsibility for ongoing remediation actions?
a. Security Control Assessor
b. Information System Security Officer
c. Authorizing Official
d. Information System Owner
Information System Owner
Security Control Assessment tries to determine if the controls are
a. Selected from NIST SP 800-53
b. In compliance with NIST SP 800-37 Rev 1
c. Producing the desired results
d. Meeting the requirements from the Information Management Model
(IMM)
Producing the desired results
, . Which of the following terms are used in NIST SP 800-60 to describe
information that would have a serious impact on the operation of the
organization if confidentiality were breached?
a. Moderate because it concerns Confidentiality
b. High because it concerns Personally Identifiable Information (Pll)
c. Moderate because it concerns data sensitivity
d. High because it concerns Confidentiality
Moderate because it concerns Confidentiality
What is the minimum frequency periodic testing and evaluation of the
effectiveness of policies should be done?
a. Quarterly in accordance with (IAW) FISMA
b. Every three years IAW OMB A-130
c. Whenever the System Authorization process is ongoing
d. Annually
Annually
Which of the following is NOT required to be part of the System Security
Plan (SSP) as described in NIST SP 800-37 Rev 1?
a. Incident Response Plan
b. SCP/Continuity of Operations Plan
c. Security Awareness Plan
d. Privacy Impact Assessment
Security Awareness Plan
