CIS Risk & Compliance GRC/IRM Practice Test 2026 | ServiceNow GRC Exam Prep

Name: CIS Risk & Compliance GRC/IRM Practice Test 2026
Price: 9.99 USD
Availability: InStock

1.In the Audit Workspace an Auditor creates an Evidence Request task and assigns it to a First Line user. When the First Line user opens the task to respond which action are they strictly required to take to move the workflow forward

ACreate a new Control Test
BAttach a file or link to a record and submit the task for approval
CManually close the Audit Engagement
DMark the related Control as Compliant

Show full explanation

Correct Answer

B - Attach a file or link to a record and submit the task for approval

Source

ServiceNow Zurich Documentation - Audit Evidence Requests

Expert Explanation

Evidence Request tasks are assigned to First Line users so they can provide proof of control effectiveness. The user attaches files (documents, screenshots, exports) or links to existing ServiceNow records, then submits the task back for auditor review. This attachment-and-submit pattern ensures evidence is formally captured and routed through the approval chain.

Why the Others Are Wrong

Creating Control Tests (A) is a separate compliance activity. Closing an Audit Engagement (C) is reserved for Audit leadership. Marking a Control as Compliant (D) results from auditor evaluation of test results, not from evidence submission.

Memory Tip

Think "Evidence = Attach + Submit." The First Line user is like a witness in court - they provide evidence, they do not render the verdict.

Real-World Example

An IT administrator receives an Evidence Request to prove that quarterly access reviews were completed. They attach the exported access review report from their IAM tool and submit the task. The auditor then reviews the attachment and approves or rejects it.

2.To allow other applications such as Incident Management to request a policy exception you must configure the Integration Registry. What is a mandatory field on the Integration Registry form

ASource application
BPolicy exception target table
CFlow Designer flow
DRequesting user

Show full explanation

Correct Answer

B - Policy exception target table

Source

ServiceNow Zurich Documentation - Configure Integration Registry

Expert Explanation

The Integration Registry enables cross-application policy exception requests. The Policy exception target table field is mandatory because the system must know which table to create exception records in when an external application triggers a request. This mapping is the core purpose of the registry configuration.

Why the Others Are Wrong

Source application (A) provides context but is not mandatory. Flow Designer flow (C) is a separate automation tool. Requesting user (D) is a runtime value, not a configuration field.

Memory Tip

Integration Registry = "Where do exceptions land-" The target table is the landing pad - without it, the system has nowhere to put the exception record.

Real-World Example

A company wants Incident Management agents to request policy exceptions when a critical incident requires bypassing a security policy. The admin configures the Integration Registry with the policy exception target table so the exception record is created in the correct GRC table when triggered from an incident.

3.Which specific role enables a user to report a Risk Event such as a financial loss or near-miss from the Service Portal without granting them full access to the backend Risk Management application

Asn_risk.user
Bsn_grc.business_user
Csn_risk.manager
Dsn_grc.reader

Show full explanation

Correct Answer

B - sn_grc.business_user

Source

ServiceNow Zurich Documentation - GRC Roles

Expert Explanation

The sn_grc.business_user role is purpose-built for employees who need to interact with GRC processes (like reporting risk events or responding to assessments) through the Service Portal. It provides a controlled, user-friendly interface without granting access to the full backend GRC application, following the principle of least privilege.

Why the Others Are Wrong

sn_risk.user (A) is a backend role, not portal-focused. sn_risk.manager (C) grants excessive privileges for simple event reporting. sn_grc.reader (D) is read-only and cannot create records.

Memory Tip

"Business user = business people reporting from the portal." The role name says it all - it is for business users, not GRC specialists.

Real-World Example

A branch manager discovers a near-miss security incident at their location. With the sn_grc.business_user role, they log into the Service Portal, fill out a Risk Event form describing the incident, and submit it. The Risk Management team receives the report without the branch manager ever accessing the backend GRC module.

4.When configuring a Risk Assessment Methodology (RAM) you have the option to define the Assessment Context. Which context type would you select if you need to assess a specific ServiceNow record such as a Change Request or Project directly without requiring the record to be defined as a GRC Entity

AEntity-based
BClass-based
CObject-based
DRecord-based

Show full explanation

Correct Answer

C - Object-based

Source

ServiceNow Zurich Documentation - Risk Assessment Methodology

Expert Explanation

The Risk Assessment Methodology (RAM) supports different assessment contexts. Object-based context targets specific ServiceNow records directly, bypassing the need to define them as GRC Entities. This is useful when you want to assess risk on operational records like Change Requests or Projects without the overhead of entity management.

Why the Others Are Wrong

Entity-based (A) requires GRC Entity registration first. Class-based (B) is not a valid assessment context type. Record-based (D) is not the correct ServiceNow terminology - the platform calls it Object-based.

Memory Tip

Think "Object = Any Object in the system." Object-based means you point directly at any record (object) without the formality of making it an Entity first.

Real-World Example

A risk analyst needs to assess the risk of a major infrastructure Change Request. Using Object-based context in the RAM, they can run a risk assessment directly on that Change Request record without first creating a GRC Entity for it.

5.In a quantitative risk analysis if the Single Loss Expectancy (SLE) is $1000000 and the Annualized Rate of Occurrence (ARO) is 20% what is the Annualized Loss Expectancy (ALE)

A$200,000
B$2,000,000
C$10,000
D$1,000,000

Show full explanation

Correct Answer

A - $200,000

Source

ServiceNow Zurich Documentation - Quantitative Risk Analysis

Expert Explanation

Quantitative risk analysis uses the formula ALE = SLE x ARO. The Single Loss Expectancy (SLE) represents the cost of a single occurrence. The Annualized Rate of Occurrence (ARO) represents how often it happens per year. Multiplying these gives the expected annual loss: $1,000,000 x 0.20 = $200,000.

Why the Others Are Wrong

$2,000,000 (B) incorrectly multiplies by 2 instead of 0.20. $10,000 (C) has no valid derivation. $1,000,000 (D) is the SLE, not the ALE - it ignores the frequency factor entirely.

Memory Tip

ALE = SLE x ARO. "Annual Loss = Single Loss x Annual Rate." Just multiply the one-time loss by how often it happens per year. 20% = 0.20, so multiply by 0.20.

Real-World Example

A data center faces a risk of server failure costing $1,000,000 per event. Historical data shows this happens about once every five years (20% per year). The organization budgets $200,000 annually for this risk, which helps justify spending up to $200,000/year on preventive controls.

6.What would you use in order to accommodate a customer's unique process around policy approvals- For example each policy needs a second layer of approval.

ACreate a new field and create notifications
BAdd a new related list to keep track of who has already approved it and who hasn't approved yet
CAdd a UI Action to track who the stakeholders are
DCreate a new workflow in the workflow editor

Show full explanation

Correct Answer

D - Create a new workflow in the workflow editor

Source

ServiceNow Zurich Documentation - Policy Lifecycle

Expert Explanation

Policy approval processes in ServiceNow GRC are driven by workflows. When a customer requires a unique approval process - such as adding a second approval layer - the correct approach is to create a custom workflow using the Workflow Editor. This gives full control over approval routing, conditions, and sequencing.

Why the Others Are Wrong

Fields and notifications (A) are passive - they inform but do not control process flow. Related lists (B) display data but do not enforce approval logic. UI Actions (C) are point actions, not process orchestrators capable of managing multi-step approvals.

Memory Tip

"Custom process = Custom workflow." Whenever you hear about changing approval steps or routing, think Workflow Editor. It is the process engine of ServiceNow.

Real-World Example

A financial services firm requires that every policy be approved first by the Policy Owner and then by the Chief Compliance Officer before publication. The admin creates a workflow with two sequential approval activities, ensuring neither step can be skipped.

7.Which specific table stores the many-to-many relationship links between Control Objectives and Citations

Asn_compliance_m2m_policy_profile_type
Bsn_compliance_m2m_statement_citation
Csn_compliance_m2m_statement_policy
Dsn_compliance_citation_m2m_objective

Show full explanation

Correct Answer

B - sn_compliance_m2m_statement_citation

Source

ServiceNow Zurich Documentation - Compliance Data Model

Expert Explanation

ServiceNow GRC uses many-to-many (m2m) tables to link related records. Control Objectives are stored as "statement" records in the platform. The sn_compliance_m2m_statement_citation table creates the links between these statement (Control Objective) records and Citation records, enabling a single objective to map to multiple citations and vice versa.

Why the Others Are Wrong

sn_compliance_m2m_policy_profile_type (A) links policies to profile types. sn_compliance_m2m_statement_policy (C) links statements to policies. sn_compliance_citation_m2m_objective (D) does not exist - it uses incorrect naming conventions.

Memory Tip

"Statement = Control Objective" in GRC table names. So statement_citation = the bridge table between Control Objectives and Citations.

Real-World Example

A compliance team maps their "Access Control Review" objective to three regulatory citations: SOX Section 404, PCI-DSS Requirement 7, and ISO 27001 A.9.2. Each mapping creates a record in the sn_compliance_m2m_statement_citation table.

8.When configuring the Assessment Context for a Risk Assessment Methodology (RAM) in the Advanced Risk application which of the following are valid options (Choose two.) (choose 2)

ARisk Statement
BRisk
CProject Risk
DObject

Show full explanation

Correct Answer

B - Risk, D - Object

Source

ServiceNow Zurich Documentation - Risk Assessment Methodology

Expert Explanation

The Advanced Risk application supports multiple Assessment Context types when configuring a RAM. The two valid options from this list are Risk (assessing risk records directly) and Object (assessing any ServiceNow record without entity registration). These contexts determine what type of record the assessment targets.

Why the Others Are Wrong

Risk Statement (A) defines risk descriptions but is not an assessment context type. Project Risk (C) is not a standalone context option in the RAM configuration.

Memory Tip

Valid RAM contexts: "Risk and Object - R.O." Risk targets risk records. Object targets any record. Simple and direct.

Real-World Example

A risk team configures two RAMs: one with Risk context to score enterprise risks using a 5x5 matrix, and another with Object context to assess individual Change Requests for operational risk before approval.

9.You have configured two different Entity Class Rules that both target the Department [cmn_department] table. If a specific Department record matches the conditions defined in both rules which logic determines which Entity Class is assigned

AThe rule created most recently takes precedence
BThe rule with the lowest Order value takes precedence
CBoth classes are assigned to the Entity
DThe system prevents the Entity from being created until the conflict is resolved

Show full explanation

Correct Answer

B - The rule with the lowest Order value takes precedence

Source

ServiceNow Zurich Documentation - Entity Class Rules

Expert Explanation

Entity Class Rules use an Order field to determine priority when multiple rules match the same record. The rule with the lowest Order value wins. This is a standard ServiceNow pattern used across Business Rules, Data Policies, and other rule-based configurations throughout the platform.

Why the Others Are Wrong

Creation date (A) is irrelevant to rule priority. Assigning both classes (C) would create ambiguity and is not how the system works. Blocking creation (D) would halt operations unnecessarily when a simple ordering mechanism resolves the conflict.

Memory Tip

"Lowest Order wins" - just like everywhere else in ServiceNow. Think of it as a race: runner #1 (lowest number) crosses the finish line first.

Real-World Example

Two rules target the Department table: Rule A (Order 100) assigns "IT Department" class, Rule B (Order 200) assigns "General Department" class. When the "IT Security" department matches both rules, it gets the "IT Department" class because Rule A has the lower Order value.

10.Who can request approval for a policy- (Choose two.) (choose 2)

APolicy owner
BPolicy requester
CCompliance manager
DAudit manager
ERisk manager
FPolicy contributor

Show full explanation

Correct Answer

A - Policy owner, B - Policy requester

Source

ServiceNow Zurich Documentation - Policy Lifecycle

Expert Explanation

In the ServiceNow GRC policy lifecycle, two roles can request approval: the Policy owner (who is responsible for the policy) and the Policy requester (who initiated it). This dual-authority model ensures that either the originator or the responsible party can move the policy through its approval workflow.

Why the Others Are Wrong

Compliance manager (C), Audit manager (D), and Risk manager (E) work in different GRC domains and do not request policy approvals. Policy contributor (F) supports drafting but lacks authority to initiate the approval process.

Memory Tip

"Owner and Requester - the two people with skin in the game." The owner owns it, the requester asked for it. Both have the authority to push it forward.

Real-World Example

The VP of IT Security (policy owner) drafts an updated Data Classification Policy. Either she or the compliance analyst (policy requester) who originally requested the policy can click "Request Approval" to send it to the approval committee.

11.What are the most common baseline tables used in an entity filter to generate entities for an entity type- (Choose three.) (choose 3)

Acmn_job_center
Bcmn_department
Ccmn_location
Dcore_company
Ecmn_geography

Show full explanation

Correct Answer

B - cmn_department, C - cmn_location, D - core_company

Source

ServiceNow Zurich Documentation - Entity Types and Filters

Expert Explanation

GRC entities represent the organizational units that need governance. Entity filters query baseline tables to automatically generate entities. The three most common tables are cmn_department (departments), cmn_location (locations), and core_company (companies). These represent the standard organizational hierarchy most companies use for GRC scoping.

Why the Others Are Wrong

cmn_job_center (A) is too granular and not a standard GRC scoping unit. cmn_geography (E) is too broad and not commonly used as a direct entity source - locations serve this purpose better.

Memory Tip

"D-L-C: Department, Location, Company" - the three pillars of organizational structure. Every company has these three, and every GRC program governs by these three.

Real-World Example

A multinational corporation sets up GRC entities using all three tables: 15 departments (cmn_department), 30 office locations (cmn_location), and 5 subsidiary companies (core_company). Each entity gets appropriate controls, policies, and risk assessments assigned automatically.

12.For classic risk assessment indicator failure factor represents the impact of risk indicator failures on what score-

AInherent ALE
BCalculated ALE
CResidual ALE
DInherent SLE

Show full explanation

Correct Answer

B - Calculated ALE

Source

ServiceNow Zurich Documentation - Classic Risk Assessment

Expert Explanation

In classic risk assessment, risk indicators monitor control effectiveness. When these indicators fail (showing controls are not working properly), the failure factor adjusts the Calculated ALE to reflect higher expected losses. This ensures the risk score accurately represents current control performance rather than theoretical values.

Why the Others Are Wrong

Inherent ALE (A) is the baseline before controls - it is not affected by indicator performance. Residual ALE (C) is a downstream calculation. Inherent SLE (D) is a single-event figure unrelated to indicator monitoring.

Memory Tip

"Indicators fail, Calculated ALE goes up." The failure factor modifies the calculation - hence Calculated ALE. It is not inherent (before controls) and not residual (after treatment).

Real-World Example

A firewall monitoring indicator fails three consecutive checks, triggering the failure factor. The Calculated ALE for the "Network Intrusion" risk increases from $50,000 to $150,000, alerting the risk team that current controls are not performing as expected.

13.When setting up a Regulatory Change Management integration with a provider RSS feed which records are required to be configured (Choose three.) (choose 3)

ARegulatory Taxonomy
BFeed Source
CConnection and Credentials
DProvider
ERegulatory Event

Show full explanation

Correct Answer

B - Feed Source, C - Connection and Credentials, D - Provider

Source

ServiceNow Zurich Documentation - Configure RSS Feed Integration

Expert Explanation

Setting up a Regulatory Change Management RSS feed integration requires three configuration records: Provider (who supplies the content), Feed Source (the specific RSS feed to poll), and Connection and Credentials (how to authenticate). These three form the integration chain from authentication to content retrieval.

Why the Others Are Wrong

Regulatory Taxonomy (A) categorizes content after ingestion but is not part of the feed setup. Regulatory Event (E) is an output of the feed processing, not an input to the configuration.

Memory Tip

"P-F-C: Provider, Feed, Credentials" - Who provides it- Where is the feed- How do we connect- Three questions, three required records.

Real-World Example

A bank sets up a Thomson Reuters Regulatory Intelligence feed: they create a Provider record for Thomson Reuters, configure Connection and Credentials with their API key, and define a Feed Source pointing to the specific RSS URL for banking regulations.

14.For a particular risk assessment methodology (RAM) the control effectiveness score is calculated based on an individual assessment of controls. What are options for control identification- (Choose three.) (choose 3)

AControls are identified from library and ad-hoc
BControls are identified from indicator results
CControls are identified from library
DControls are identified ad-hoc
EControls are identified from related issues

Show full explanation

Correct Answer

A - Controls are identified from library and ad-hoc, C - Controls are identified from library, D - Controls are identified ad-hoc

Source

ServiceNow Zurich Documentation - Risk Assessment Methodology

Expert Explanation

When configuring control effectiveness scoring in a RAM, you choose how controls are identified for assessment. The three valid options are: from the Control Library only (standardized), ad-hoc only (flexible), or a combination of both library and ad-hoc. These options balance standardization with flexibility depending on organizational needs.

Why the Others Are Wrong

Indicator results (B) monitor existing controls but do not identify them for assessment. Related issues (E) are findings from assessments, not inputs to control identification.

Memory Tip

Three options for finding controls: "Library, Ad-hoc, or Both." Think of it like shopping: from a catalog (library), finding items yourself (ad-hoc), or doing both.

Real-World Example

A healthcare company uses "library and ad-hoc" for their HIPAA risk assessments. Standard HIPAA controls come from the library, but assessors can add custom controls for department-specific processes that are not in the standard library.

15.If a Control is created manually for an Entity and that Entity is later added to an Entity Type that automatically generates the same Control what is the result

AServiceNow identifies the existing control and links it
BServiceNow overwrites the manual control with the automatic one
CServiceNow creates a duplicate control and triggers a notification
DServiceNow creates a duplicate control without notifying the control owner

Show full explanation

Correct Answer

D - ServiceNow creates a duplicate control without notifying the control owner

Source

ServiceNow Zurich Documentation - Entity Scoping

Expert Explanation

When an Entity is added to an Entity Type that auto-generates controls, ServiceNow creates the controls defined by the Entity Type without checking for existing manual controls on that Entity. This results in duplicate controls with no notification. Administrators should be aware of this behavior and plan control assignments carefully to avoid redundancy.

Why the Others Are Wrong

Linking existing controls (A) would require duplicate detection logic that does not exist in this context. Overwriting (B) would destroy audit trails. Notification on duplicate (C) would be helpful but is not the platform behavior - no alert is generated.

Memory Tip

"Auto-generation is blind" - it does not look at what already exists. It just creates what the Entity Type template says to create, duplicates or not.

Real-World Example

An admin manually creates a "Quarterly Access Review" control for the Finance Department entity. Later, the Finance Department is added to a "Regulated Department" Entity Type that auto-generates the same control. Now Finance has two identical "Quarterly Access Review" controls, and nobody is notified about the duplication.

CIS Risk & Compliance GRC/IRM - ServiceNow Practice Test 2026

What's included

15 Free Preview Questions

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip

Real-World Example

Correct Answer

Source

Expert Explanation

Why the Others Are Wrong

Memory Tip