ISC2 Governance, Risk and Compliance (CGRC) Practice Question
While compiling an authorization package, the assessment team must format the Security Assessment Report so the Authorizing Official can make a timely decision. Which practice satisfies NIST guidance for documenting each control deficiency within the SAR?
Map each deficiency to its corresponding control, assign a severity rating, and recommend corrective actions.
Attach only raw test logs and screenshots so the Authorizing Official can derive severity independently.
Group all findings by functional domain and omit control identifiers to simplify the report.
Provide a single summary count of total findings without narrative details to keep the report concise.
NIST requires that the SAR present actionable information for the Authorizing Official. Assessment findings should be traceable to the specific control tested, include a severity or risk rating that indicates potential impact, and offer recommended corrective actions. This structure lets decision-makers weigh residual risk and prioritize remediation. Raw evidence without analysis, grouping findings without control identifiers, or providing only high-level counts all fail to give the AO enough context to judge system risk or to plan mitigation efforts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to map deficiencies to their corresponding controls in the Security Assessment Report?
Open an interactive chat with Bash
What is the role of severity ratings in the Security Assessment Report?
Open an interactive chat with Bash
How do recommended corrective actions assist in the authorization process?
Open an interactive chat with Bash
What is the purpose of the Security Assessment Report (SAR)?
Open an interactive chat with Bash
Why is it important to map deficiencies to specific controls in the SAR?
Open an interactive chat with Bash
What does NIST recommend for assigning severity ratings in the SAR?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
System Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .