ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During a follow-up audit, the database team reports that a vendor patch has been applied to correct a previously non-compliant input-validation control. To confirm the deficiency is resolved and no new vulnerabilities were introduced, what is the assessor's best next step?

Transfer the remaining risk to the software vendor and simply update the risk register.
Re-execute the original control test on the patched system and evaluate adjacent controls for any unintended side effects.
Accept closure based on the system owner's signed memo since the patch comes from a trusted vendor.
Defer testing until the next annual assessment cycle and note the change in the audit plan.

Report Issue

Answer Description

The assessor must obtain objective evidence that the control now operates effectively and that the change has not negatively affected related safeguards. Re-running the original test (e.g., input-validation checks) on the patched system and performing a brief impact analysis on adjoining controls provides direct verification. Simply accepting the system owner's attestation, deferring review, or transferring the risk does not meet due-diligence requirements because they do not demonstrate that the fix is effective or that it did not create additional weaknesses.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What does input-validation control mean in this context?

Open an interactive chat with Bash

Why is re-executing the original control test important after applying a patch?

Open an interactive chat with Bash

What is an impact analysis on adjoining controls?

Open an interactive chat with Bash

Why is re-executing the original test necessary after applying a patch?

Open an interactive chat with Bash

What does 'evaluate adjacent controls' mean in this context?

Open an interactive chat with Bash

Why isn't accepting the system owner's memo sufficient to verify a patch's effectiveness?

Open an interactive chat with Bash

What is an input-validation control in a database?

Open an interactive chat with Bash

What does it mean to evaluate adjacent controls in a system?

Open an interactive chat with Bash

Why is objective evidence required in audits?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot