ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While compiling the security authorization package for a cloud-based HR system, you need a single artifact that lists each assessment finding, its severity, and the assessor's recommended corrective actions. Which document should you include?

Authorization Decision Document
Security Assessment Report
System Security Plan
Plan of Action and Milestones

Report Issue

Answer Description

The Security Assessment Report (SAR) is produced by the assessor after evaluating implemented controls. It documents each finding, assigns a severity or risk rating, and provides recommended corrective actions. The SAR is delivered to the system owner and authorizing official as part of the authorization package so they can understand vulnerabilities prior to deciding on risk acceptance. A Plan of Action and Milestones is generated from SAR findings but focuses on the remediation tasks and timelines, not the original assessment details. A System Security Plan describes the control implementation, and an Authorization Decision Document records the authorizing official's decision and any terms or conditions-neither of these contains the full set of assessment results and recommendations.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is the Security Assessment Report (SAR)?

Open an interactive chat with Bash

How is the Plan of Action and Milestones (POA&M) different from the SAR?

Open an interactive chat with Bash

What role does the Authorization Decision Document play in the authorization package?

Open an interactive chat with Bash

What is a Security Assessment Report (SAR)?

Open an interactive chat with Bash

How is a Plan of Action and Milestones (POA&M) different from a SAR?

Open an interactive chat with Bash

What role does the System Security Plan (SSP) play in the security authorization package?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

System Compliance

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot