Documentation and Reporting (ISC2 CGRC) Flashcards

ISC2 Governance, Risk and Compliance (CGRC) Flashcards

Establishes performance expectations and accountability for services

Tracks employee training activities and certifications for compliance purposes

Simplifies the process of delivering consistent messages across teams

Use of metrics in security documentation

When to use stakeholder communication templates

What is security training program documentation

Role of governance framework in reporting

Provides structure for consistent communication about risk and compliance

Role of service level agreements in documentation

A documented database of identified risks, their severity, and mitigation strategies

Define risk register

Provides quantifiable measures for evaluating system performance and controls

Front	Back
Content of vulnerability assessment report	Identified weaknesses, risk levels, affected systems, and mitigation steps
Contents of a secure software development life-cycle report	Code review findings, vulnerability tests, and compliance checks
Define authority to operate (ATO) documentation	Approval that allows a system to operate within set security parameters
Define gap analysis report	Identifies differences between current system capabilities and compliance requirements
Define policy exception documentation	Details cases where specific standards are not met and the rationale behind them
Define risk register	A documented database of identified risks, their severity, and mitigation strategies
Documentation requirements for third-party service providers	Includes SLAs, contract terms, and compliance certifications
Elements of a security incident report	Details of the incident, actions taken, impact, and follow-up recommendations
How to document data retention policies	Outlines rules for data storage durations and secure disposal methods
How to document incident response team activities	Tracks actions taken, resources used, and timeline of responses
Importance of change management documentation	Ensures accountability and review for modifications to systems and processes
Importance of documenting security benchmarks	Provides reference standards for evaluating system performance and compliance
Importance of maintaining regulatory requirement updates	Ensures documentation stays aligned with current standards
Key components of an audit log	User actions, system events, timestamps, and data changes
Key elements of a security risk management plan	Identified risks, mitigation strategies, monitoring processes, and assigned roles
Primary audience for system documentation	Internal teams, auditors, and regulatory authorities
Purpose of access control audit report	Verifies compliance with access permissions and identifies any unauthorized access
Purpose of business impact analysis documentation	Evaluates potential disruption effects on organizational operations
Purpose of compliance reporting	Tracks performance against regulatory and organizational requirements
Purpose of configuration management plan	Defines procedures for maintaining consistency in system settings and operations
Purpose of encryption key management documentation	Specifies procedures for securing, rotating, and retiring encryption keys
Purpose of privacy impact assessment documentation	Evaluates potential effects of system operations on individual privacy
Purpose of system security plan	Describes system security controls and compliance with regulatory requirements
Reporting frequency for operational metrics	Varies by organizational policy and regulatory requirements
Responsibilities of system owners in reporting	Ensure accurate documentation and timely communication of system status
Role of communication plan in governance	Ensures stakeholders receive timely and relevant information
Role of escalation procedures in reporting	Ensures critical issues are promptly communicated to higher management
Role of governance framework in reporting	Provides structure for consistent communication about risk and compliance
Role of performance indicators in compliance reporting	Tracks goals, achievements, and areas needing improvement
Role of service level agreements in documentation	Establishes performance expectations and accountability for services
Steps for documenting system upgrades	Includes impact assessments, approval processes, and testing outcomes
Use of metrics in security documentation	Provides quantifiable measures for evaluating system performance and controls
What is a risk assessment report	Analyzes potential threats, vulnerabilities, and business impacts
What is a risk treatment plan	Outlines strategies to reduce identified risks to acceptable levels
What is continuous monitoring reporting	Ongoing collection and analysis of security data to ensure compliance and detect incidents
What is security training program documentation	Tracks employee training activities and certifications for compliance purposes
When to use stakeholder communication templates	Simplifies the process of delivering consistent messages across teams
Why document lessons learned from incidents	Improves future response and reduces risk of repeated issues
Why document third-party risk assessments	Ensures thorough evaluation of external service providers’ security practices

Front

What is a risk treatment plan

Click the card to flip

1/39

ISC2 Governance, Risk and Compliance (CGRC)

This deck covers the essential documents, reporting requirements, and communication practices needed for governance and compliance activities.

Share on...

Documentation and Reporting (ISC2 CGRC) Flashcards

ISC2 Governance, Risk and Compliance (CGRC) Flashcards

You win! 🎉