CAS-004 · topic practice

Governance, Risk, and Compliance practice questions

Practise CompTIA SecurityX CAS-004 Governance, Risk, and Compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Governance, Risk, and Compliance

What the exam tests

What to know about Governance, Risk, and Compliance

Governance, Risk, and Compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Governance, Risk, and Compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Governance, Risk, and Compliance questions

20 questions · select your answer, then reveal the explanation

A security analyst is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A company wants to ensure that its data handling practices align with the principle of 'privacy by design'. Which of the following actions best supports this principle?

A financial institution is required to comply with SOX. Which of the following is a primary focus of this regulation?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

An organization has identified a vulnerability in a legacy system that cannot be patched. The system is critical for operations, and the cost of mitigating the vulnerability exceeds the potential loss. Which risk treatment option is most appropriate?

A security manager is evaluating two risk quantification approaches: Factor Analysis of Information Risk (FAIR) and a qualitative heat map. Which of the following is a key advantage of using FAIR over the qualitative heat map?

During a vendor risk assessment, a company receives a SOC 2 Type II report from a cloud service provider. What does this report primarily attest to?

An organization is implementing continuous compliance monitoring. Which of the following metrics would best indicate whether the organization is maintaining compliance with PCI DSS Requirement 10 (log management)?

Which of the following is the correct order of the security policy hierarchy from highest to lowest?

A security architect is designing a data classification scheme. Which of the following is the highest level of sensitivity that would typically require the most stringent controls?

An organization is reviewing its third-party risk management process. Which of the following clauses should be included in contracts with critical vendors to ensure ongoing visibility into their security posture?

A company is considering adopting the NIST Risk Management Framework (RMF). Which of the following steps is unique to NIST RMF compared to ISO 27005?

A security team is measuring the effectiveness of its incident response process. Which of the following metrics would best indicate how quickly the team can contain an incident after it is detected?

A small business is implementing a privacy impact assessment (PIA) for a new application that processes personal data of EU citizens. Which TWO of the following are required under GDPR?

A security manager is selecting key risk indicators (KRIs) for the organization's risk management program. Which THREE of the following are examples of KRIs that can provide early warning of increasing risk?

An organization is reviewing its supply chain risk management. Which TWO of the following are effective strategies to manage fourth-party risk?

A financial institution is evaluating a cloud service provider for hosting customer data. During the due diligence process, which report would best help the institution assess the provider's control environment and compliance with SOC 2?

An organization is implementing a data classification scheme. Which data type should be given the highest protection and is typically restricted to a very small number of individuals?

A security analyst calculates the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $50,000, and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

Which risk treatment option involves reducing the likelihood or impact of a risk through controls?

A healthcare organization must comply with HIPAA. Which of the following is a key requirement for protecting electronic protected health information (ePHI)?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Governance, Risk, and Compliance sessions

Start a Governance, Risk, and Compliance only practice session

Every question in these sessions is drawn from the Governance, Risk, and Compliance domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Governance, Risk, and Compliance?
Governance, Risk, and Compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Governance, Risk, and Compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Governance, Risk, and Compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.
CompTIA SecurityX CAS-004 Governance, Risk, and Compliance Practice Questions with Explanations | Courseiva