ISC2 Governance, Risk and Compliance (CGRC) Practice Question
During a pre-authorization audit of a newly deployed cloud-based HR system, you discover the system owner has prepared configuration baselines, user training guides, and a risk assessment report. Auditors note that required "plan" documentation aligning controls with the system's purpose, scope, and risk profile is still missing. Which document should you request?
A system security plan detailing implemented controls, roles, and system boundaries
A security assessment report summarizing test results and residual risks of the controls
A configuration management policy outlining change control requirements across the organization
An incident response plan describing detection, containment, and recovery procedures for security events
A system security plan (SSP) is the authoritative document that describes the information system's purpose, environment, boundaries, and the specific security controls implemented or planned. It maps each control to organizational and regulatory requirements, identifies responsible roles, and thus demonstrates how the control baseline satisfies the system's risk posture. An incident response plan focuses only on detecting and handling incidents, not on documenting every implemented control. A configuration management policy defines organizational change-control expectations but does not capture the full control set for a particular system. A security assessment report records test results and residual risks after controls are evaluated, but it is separate from the plan that defines and organizes those controls in the first place. Therefore, requesting the SSP closes the documentation gap identified by the auditors.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the System Security Plan (SSP)?
Open an interactive chat with Bash
How is the SSP different from an incident response plan?
Open an interactive chat with Bash
Why is alignment with regulatory requirements important in an SSP?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Implementation of Security and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .