Certified Governance Risk and Compliance (CGRC) Practice Exam 2025 - Free CGRC Practice Questions and Study Guide

The choice of a regulatory policy as the correct answer is grounded in its specific focus on adhering to compliance and legal requirements. Regulatory policies are established primarily to ensure that an organization meets mandatory obligations dictated by governmental laws, industry regulations, and standards. These policies guide organizations in implementing the necessary measures to comply with legal frameworks such as data protection laws, financial regulations, and other compliance requirements relevant to their industry.

In contrast, advisory policies are usually recommendations or guidelines intended to help organizations align with best practices but are not mandatory. Informative policies serve to educate stakeholders about security principles and procedures without imposing compliance requirements. System Security policies focus on the security measures and controls specific to information systems but do not inherently address compliance or legal mandates.

Therefore, regulatory policies stand out as the critical framework ensuring that an organization operates within the bounds of established laws and compliance standards, making it essential for legal adherence and risk management.