Bash, the Crucial Exams Chat Bot
AI Bot
Documentation and Reporting (ISC2 CGRC) Flashcards
ISC2 Governance, Risk and Compliance (CGRC) Flashcards
Study our Documentation and Reporting (ISC2 CGRC) flashcards for the ISC2 Governance, Risk and Compliance (CGRC) exam with 39+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Content of vulnerability assessment report | Identified weaknesses, risk levels, affected systems, and mitigation steps |
| Contents of a secure software development life-cycle report | Code review findings, vulnerability tests, and compliance checks |
| Define authority to operate (ATO) documentation | Approval that allows a system to operate within set security parameters |
| Define gap analysis report | Identifies differences between current system capabilities and compliance requirements |
| Define policy exception documentation | Details cases where specific standards are not met and the rationale behind them |
| Define risk register | A documented database of identified risks, their severity, and mitigation strategies |
| Documentation requirements for third-party service providers | Includes SLAs, contract terms, and compliance certifications |
| Elements of a security incident report | Details of the incident, actions taken, impact, and follow-up recommendations |
| How to document data retention policies | Outlines rules for data storage durations and secure disposal methods |
| How to document incident response team activities | Tracks actions taken, resources used, and timeline of responses |
| Importance of change management documentation | Ensures accountability and review for modifications to systems and processes |
| Importance of documenting security benchmarks | Provides reference standards for evaluating system performance and compliance |
| Importance of maintaining regulatory requirement updates | Ensures documentation stays aligned with current standards |
| Key components of an audit log | User actions, system events, timestamps, and data changes |
| Key elements of a security risk management plan | Identified risks, mitigation strategies, monitoring processes, and assigned roles |
| Primary audience for system documentation | Internal teams, auditors, and regulatory authorities |
| Purpose of access control audit report | Verifies compliance with access permissions and identifies any unauthorized access |
| Purpose of business impact analysis documentation | Evaluates potential disruption effects on organizational operations |
| Purpose of compliance reporting | Tracks performance against regulatory and organizational requirements |
| Purpose of configuration management plan | Defines procedures for maintaining consistency in system settings and operations |
| Purpose of encryption key management documentation | Specifies procedures for securing, rotating, and retiring encryption keys |
| Purpose of privacy impact assessment documentation | Evaluates potential effects of system operations on individual privacy |
| Purpose of system security plan | Describes system security controls and compliance with regulatory requirements |
| Reporting frequency for operational metrics | Varies by organizational policy and regulatory requirements |
| Responsibilities of system owners in reporting | Ensure accurate documentation and timely communication of system status |
| Role of communication plan in governance | Ensures stakeholders receive timely and relevant information |
| Role of escalation procedures in reporting | Ensures critical issues are promptly communicated to higher management |
| Role of governance framework in reporting | Provides structure for consistent communication about risk and compliance |
| Role of performance indicators in compliance reporting | Tracks goals, achievements, and areas needing improvement |
| Role of service level agreements in documentation | Establishes performance expectations and accountability for services |
| Steps for documenting system upgrades | Includes impact assessments, approval processes, and testing outcomes |
| Use of metrics in security documentation | Provides quantifiable measures for evaluating system performance and controls |
| What is a risk assessment report | Analyzes potential threats, vulnerabilities, and business impacts |
| What is a risk treatment plan | Outlines strategies to reduce identified risks to acceptable levels |
| What is continuous monitoring reporting | Ongoing collection and analysis of security data to ensure compliance and detect incidents |
| What is security training program documentation | Tracks employee training activities and certifications for compliance purposes |
| When to use stakeholder communication templates | Simplifies the process of delivering consistent messages across teams |
| Why document lessons learned from incidents | Improves future response and reduces risk of repeated issues |
| Why document third-party risk assessments | Ensures thorough evaluation of external service providers’ security practices |
About the Flashcards
Flashcards for the ISC2 Governance, Risk and Compliance (CGRC) exam reinforce the core documentation and reporting skills demanded by modern security and compliance roles. Each card condenses critical definitions, purposes, and audiences for plans and reports you will need to recall on test day, from system security plans to vulnerability assessment summaries.
Use the deck to drill the structure of audit logs, elements of effective incident reports, and the lifecycle of risk registers and treatment plans. You will also review change and configuration management documents, continuous monitoring metrics, privacy and impact analyses, and governance-driven communication templates-terminology that frequently appears in scenario-based questions.
Topics covered in this flashcard deck:
- Security documentation
- Compliance reporting
- Risk management plans
- Incident response logs
- Governance communication
- Change & configuration