Certified Governance Risk and Compliance (CGRC) Practice Exam 2025 - Free CGRC Practice Questions and Study Guide

NIST SP 800-53 is considered the correct answer because it provides a comprehensive framework for selecting and specifying security controls for federal information systems, as well as for other organizations seeking to enhance their security posture. This publication outlines a set of baseline security controls that organizations can implement to manage risk and protect their information systems. It categorizes controls into families, addressing various aspects such as access control, incident response, and system integrity, which serves as critical guidelines for organizations planning their security strategies.

The other publications, while relevant to risk management and compliance, serve different purposes. NIST SP 800-37 focuses on the Risk Management Framework, guiding organizations in conducting risk assessments and integrating risk management into their information systems lifecycle. NIST SP 800-26 provides a self-assessment guide for information technology systems but does not directly prescribe security controls. Lastly, NIST SP 800-60 addresses the mapping of information types to security categories but does not serve as a guideline for implementing security controls, making it less relevant in this context.