ISC2 Governance, Risk and Compliance (CGRC) Practice Question
Following an information system audit, several corrective actions have been proposed and some controls have already been strengthened. To determine and document the residual risks and remaining deficiencies that still require tracking, which document should the assessor review first?
The updated Plan of Action and Milestones that tracks unresolved weaknesses
The original audit scope statement approved before fieldwork began
The business impact analysis created during system categorization
Configuration baseline snapshots taken prior to remediation activities
The Plan of Action and Milestones (POA&M) is the authoritative list of all known weaknesses that have not yet been fully remediated, together with planned remediation steps and target completion dates. By examining the updated POA&M, the assessor can see which deficiencies remain open after corrective actions, quantify any associated impact, and record the resulting residual risk in the risk response plan. The original audit scope, historical configuration snapshots, and the business impact analysis can provide context but do not identify current unresolved weaknesses in a consolidated, status-tracked format.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the primary purpose of a Plan of Action and Milestones (POA&M)?
Open an interactive chat with Bash
What is the difference between residual risk and mitigated risk?
Open an interactive chat with Bash
How does the POA&M differ from the audit scope statement?
Open an interactive chat with Bash
What is a Plan of Action and Milestones (POA&M)?
Open an interactive chat with Bash
How is residual risk assessed in relation to the POA&M?
Open an interactive chat with Bash
Why is the POA&M prioritized over other documents like the audit scope or configuration baseline?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Assessment/Audit of Security and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .