ISC2 Governance, Risk and Compliance (CGRC) Practice Question
A newly appointed Information System Security Officer must recommend how often stakeholders should meet to review evidence of ongoing compliance for a mission-critical, high-impact information system. According to NIST Risk Management Framework guidance, which factor should have the greatest influence on setting this formal review frequency?
The information system's impact level and the rate at which its operating environment or threats change
The organization's annual budget and fiscal planning calendar
The timing of mandated external compliance audits (for example, every three years)
The personal preference of the Change Control Board chairperson
NIST RMF and the associated guidance in publications such as SP 800-37 and SP 800-137 state that organizations are expected to establish monitoring and review frequencies that are commensurate with the level of risk. Systems with higher impact levels or operating in rapidly changing, high-threat environments warrant more frequent compliance reviews to ensure that security and privacy controls remain effective. While audit schedules, budget cycles, and leadership preferences may affect logistical planning, they are secondary to the fundamental requirement that monitoring be driven by the system's risk, criticality, and environmental volatility. Therefore, basing the review cadence on the system's impact level and how quickly its threat or technology environment changes is the most appropriate approach. Other options focus on administrative convenience rather than risk management, and thus do not satisfy RMF expectations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the NIST Risk Management Framework (RMF)?
Open an interactive chat with Bash
Why does the impact level of a system affect compliance review frequency?
Open an interactive chat with Bash
What is environmental volatility in a security context?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Compliance Maintenance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .