ISC2 Governance, Risk and Compliance (CGRC) Practice Question

The Plan of Action and Milestones (POA&M) is specifically intended to capture known security or privacy weaknesses that remain after controls are implemented. It lists each weakness, the corrective action to be taken, required resources, responsible individuals, and scheduled completion dates, and it is maintained until every item is resolved. A System Security Plan (SSP) describes the system environment and the implementation status of controls but does not track remediation tasks over time. A Configuration Management Plan governs how system changes are requested, evaluated, and approved; it is not used to log residual risks. A Continuous Monitoring Strategy outlines how controls will be assessed on an ongoing basis, but it also does not serve as the formal register for outstanding deficiencies. Therefore, the POA&M is the correct document for recording and managing the residual weakness in AC-2.