ISC2 Governance, Risk and Compliance (CGRC) Practice Question

After completing interviews, documentation reviews, and technical testing on a cloud-based payment system, you begin drafting the initial security assessment report that will be shared with the system owner and authorizing official. To ensure they can immediately start prioritizing and planning risk responses, which information must be captured in this preliminary report before distribution?

Formal executive signatures indicating acceptance of all residual risks
A concise statement of every identified risk, linking the deficient control to its likelihood, potential impact, and overall risk rating
A fully developed project schedule for installing new security tools to remediate the findings
Raw log files and the entire vulnerability-scanner output collected during testing

Report Issue

Answer Description

The initial assessment (or security assessment) report is expected to present the specific risks discovered during the assessment. For each deficient or missing control, the assessor should describe the vulnerability or control weakness, the associated threat scenario, and the potential impact, then assign a likelihood and overall risk rating. This concise risk statement enables stakeholders to understand severity and urgency so they can decide whether to accept, mitigate, transfer, or avoid each risk. Detailed remediation project plans, formal approval signatures, and complete technical evidence repositories are useful in later stages, but they are not required elements of the preliminary report and can overwhelm or mislead decision makers at this point.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.