ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During scoping for a compliance assessment, your team debates including the externally hosted CRM SaaS that exchanges customer PII with on-premises systems. Which factor provides the strongest justification for keeping the SaaS in scope?

The SaaS provider, not the organization, owns and manages the underlying hardware.
Its servers are physically located outside the corporate data center.
The service processes and stores regulated customer data integral to business workflows.
Collecting audit evidence from a SaaS vendor will lengthen the project schedule.

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Wipe Score

Bash, the Crucial Exams Chat Bot

AI Bot

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Answer Description

Ask Bash

What does it mean for a system to be 'in scope' during a compliance assessment?

Why does regulated customer data impact whether a service is in scope?

Why are physical location and ownership of hardware not determining factors for compliance scope?

Why does handling regulated customer data make the CRM SaaS part of the compliance scope?

What does ‘system boundary’ mean in compliance assessments?

Why doesn’t physical location or hardware ownership affect compliance obligations?

Monthly

$19.99

Billed monthly,
Cancel any time.

3 Month Pass

$44.99

One time purchase of $44.99,
Does not auto-renew.

Annual Pass

$119.99

One time purchase of $119.99,
Does not auto-renew.

Lifetime Pass

$189.99

One time purchase,
Good for life.

All Exams

Unlimited Tests

Unlimited Questions

AI Tutor

Track scores

Report Cards

Voucher Discounts

Advanced PBQs

Included Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Report Issue

Answer Description

Ask Bash

What does it mean for a system to be 'in scope' during a compliance assessment?

Why does regulated customer data impact whether a service is in scope?

Why are physical location and ownership of hardware not determining factors for compliance scope?

Why does handling regulated customer data make the CRM SaaS part of the compliance scope?

What does ‘system boundary’ mean in compliance assessments?

Why doesn’t physical location or hardware ownership affect compliance obligations?

Report Issue