ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While drafting the preliminary assessment report, the lead assessor needs to ensure that the document is clear for senior management yet detailed enough for system administrators. Which approach best satisfies this requirement and supports traceability of each finding?

List each finding in a table that maps the applicable control identifier, a plain-language impact statement, and a concise recommended action.
Provide long narrative paragraphs organized by the date each issue was discovered during testing.
Replace written text with a single color-coded heat map that shows risk levels without explaining individual controls.
Attach the full vulnerability scanner output as the main body of the report so readers can see every log entry.

Report Issue

Answer Description

Presenting each observation in a structured table that links the control identifier, business impact, and recommended corrective action lets diverse stakeholders quickly see what control failed, why it matters to the mission, and what to do next. Tabular formatting is concise for executives, but still preserves the technical reference (control ID) that administrators need to investigate and remediate. Dumping raw scanner output, relying solely on a color-coded heat map, or writing long narrative paragraphs either omits critical detail or burdens readers with unnecessary information, reducing clarity and traceability.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is a control identifier, and why is it important in an assessment report?

Open an interactive chat with Bash

Why is a table format more effective for presenting findings than raw scanner outputs or long narratives?

Open an interactive chat with Bash

What is traceability in the context of an assessment report, and how does it support effective remediation?

Open an interactive chat with Bash

What is a control identifier in governance, risk, and compliance (GRC)?

Open an interactive chat with Bash

Why is tabular formatting preferred for assessment reports?

Open an interactive chat with Bash

What is the difference between a heat map and a structured table in risk reporting?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot