ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During RMF preparation for a cloud-hosted payroll system, you are asked to draw the authorization boundary before writing the security plan. Which criterion is most important for deciding whether a specific server, API, or database must be included inside that boundary?

Whether the component processes, stores, or transmits information managed by the system
Whether the component is physically located in the same data center as the system
Whether the component is owned and managed by the same cloud service provider
Whether the component resides on an IP subnet assigned to the payroll network segment

Report Issue

Answer Description

Under NIST guidance, the authorization boundary encloses every asset that processes, stores, or transmits the system's information. Physical location, ownership, or IP addressing may influence implementation details, but they do not overrule the primary requirement: if a component handles the organization's data or enables its exchange, it falls inside the boundary so that applicable security and privacy controls can be assessed. Components that merely share a data center, are vendor-owned, or sit on the same subnet but never interact with the system's data remain outside the boundary yet may be documented as external services or interconnections.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is an authorization boundary in RMF?

Open an interactive chat with Bash

Why does processing, storing, or transmitting system information determine inclusion in the authorization boundary?

Open an interactive chat with Bash

How are external services or interconnections documented outside the authorization boundary?

Open an interactive chat with Bash

What constitutes the authorization boundary in RMF?

Open an interactive chat with Bash

How is the NIST guidance applied to drawing the authorization boundary?

Open an interactive chat with Bash

Why are external services documented but excluded from the authorization boundary?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Security and Privacy Governance, Risk Management, and Compliance Program

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot