ISC2 Governance, Risk and Compliance (CGRC) Practice Question

A System Security Plan (SSP) is the foundational document in the Risk Management Framework that details the system's boundaries, operational environment, and every security control selected or implemented. Assessors rely on the SSP to understand how the organization intends to meet each control requirement before they decide what additional evidence, interviews, or technical tests are necessary. A Plan of Action and Milestones focuses only on outstanding deficiencies and does not provide a complete control picture. An Authorization to Operate letter merely records the authorizing official's decision and gives no detail about control implementation. A configuration baseline snapshot is useful for technical verification but lacks the broader context of all administrative, technical, and managerial controls. Therefore, reviewing the SSP first gives the assessor the most comprehensive starting point for evaluating compliance.