100% Free ISC2 CGRC Practice Test Questions

Question 1

RydSecure is assessing the security controls of a multinational corporation's complex information system. The corporation has several subsidiaries, and the information system contains sensitive financial and customer data. As an authorization professional, you understand the importance of assessor independence in ensuring an unbiased and objective assessment. You have narrowed down the selection to four potential assessors. Each assessor has their own set of circumstances that could potentially affect their independence. Based on the information provided, which assessor is MOST LIKELY to maintain the highest level of independence during the evaluation of the multinational corporation's information system?

A : An assessor who recently completed a consulting engagement for one of the corporation's subsidiaries, during which they reviewed and provided recommendations for improving the subsidiary's security controls

B : An assessor who is married to a high-ranking executive working for one of the corporation's main competitors in the same industry

C : An assessor who has a sibling working in the corporation's IT department, but the sibling is not involved in the development, implementation, or management of the information system's security controls

D : An assessor who, three years ago, worked as an internal auditor for the corporation and was responsible for auditing the information system's security controls but left on good terms

Answer: C

Question 2

RydSecure is assessing the security controls of a multinational corporation's complex information system. The corporation has several subsidiaries, and the information system contains sensitive financial and customer data. As an authorization professional, you understand the importance of assessor independence in ensuring an unbiased and objective assessment. You have narrowed down the selection to four potential assessors. Each assessor has their own set of circumstances that could potentially affect their independence. Based on the information provided, which assessor is MOST LIKELY to maintain the highest level of independence during the evaluation of the multinational corporation's information system?

A : An assessor who recently completed a consulting engagement for one of the corporation's subsidiaries, during which they reviewed and provided recommendations for improving the subsidiary's security controls

B : An assessor who is married to a high-ranking executive working for one of the corporation's main competitors in the same industry

C : An assessor who has a sibling working in the corporation's IT department, but the sibling is not involved in the development, implementation, or management of the information system's security controls

D : An assessor who, three years ago, worked as an internal auditor for the corporation and was responsible for auditing the information system's security controls but left on good terms

Answer: C

Question 3

A small organization has limited resources and is struggling to implement all of the necessary NIST SP 800-53 security controls. Which of the following is the BEST approach for the organization?

A : Implement only those controls that are required by regulation or policy

B : Implement only those controls that are relevant to the organization's risk management strategy

C : Implement only those controls that are easy to implement

D : Outsource the implementation of all security controls to a third-party vendor

Answer: B

Question 4

An organization has implemented network segmentation as a security control to prevent unauthorized access to sensitive data. However, the organization has recently experienced a data breach in which an attacker was able to move laterally between different segments of the network. Which of the following is the most likely reason for the failure of this control?

A : Insufficient monitoring and logging of network activity

B : Weaknesses in the organization's access control policies and procedures

C : Failure to regularly test and validate the effectiveness of security controls

D : Inadequate training of network administrators and other staff

Answer: C

Question 5

Which of the following factors should be considered when determining residual risk?

A : The cost of implementing additional security controls

B : The likelihood of the identified risks being exploited

C : The personal opinions of the system owners

D : The time it takes to complete the security authorization process

Answer: B

Free Practice ISC2 CGRC Exam Questions 2025