ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While drafting materials for an upcoming security control assessment, the lead assessor lists the need for 24×7 access badges, temporary domain-administrator accounts, and a single technical point-of-contact during weekend testing. In which document must these logistical requirements be formally recorded and approved before the assessment can begin?

The risk assessment report
The plan of action and milestones (POA&M)
The continuous monitoring strategy
The finalized assessment or audit plan

Report Issue

Answer Description

Logistical details such as required physical access, system credentials, on-site contacts, and the planned assessment schedule are consolidated in the formal assessment (or audit) plan. The plan is reviewed and approved by key stakeholders before fieldwork starts, ensuring everyone understands and authorizes resource needs. A risk assessment report describes threats and vulnerabilities, a POA&M addresses remediation tasks after findings are identified, and a continuous monitoring strategy covers ongoing control monitoring rather than one-time assessment logistics.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is included in a finalized assessment or audit plan?

Open an interactive chat with Bash

Why are logistical details not included in a risk assessment report?

Open an interactive chat with Bash

What is the difference between a POA&M and an audit plan?

Open an interactive chat with Bash

Why is it important to formally record and approve logistical requirements in the finalized assessment plan?

Open an interactive chat with Bash

What is the purpose of a Plan of Action and Milestones (POA&M), and why is it not used for logistical planning?

Open an interactive chat with Bash

What distinguishes a continuous monitoring strategy from an assessment plan?

Open an interactive chat with Bash

What is the purpose of an assessment or audit plan?

Open an interactive chat with Bash

How does a risk assessment report differ from an assessment plan?

Open an interactive chat with Bash

What is the role of temporary accounts in an assessment plan?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot