ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While outlining the scope for an upcoming assessment of the organization's payment-processing environment, the audit team wants to be certain every system that stores, processes, or transmits cardholder data is in scope-and nothing else is. Which artifact provides the clearest basis for that decision?

The enterprise risk register that lists the organization's highest-priority threats
Last quarter's vulnerability-scan results for all Internet-facing hosts
A current data-flow diagram that traces cardholder data through all connected systems and networks
The draft corrective-action plan produced after the previous audit

Report Issue

Answer Description

A current data-flow diagram shows exactly where cardholder data enters, is processed, is stored, and how it traverses internal and external connections. This visibility lets the audit team draw an accurate system boundary and keep the scope limited to components that handle the regulated data. A risk register ranks threats but does not map assets, vulnerability-scan results identify technical weaknesses rather than boundaries, and a corrective-action plan lists past deficiencies without depicting which systems are involved. Therefore, only the data-flow diagram reliably defines what must be included-or excluded-when setting the audit scope.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is a data-flow diagram (DFD) and why is it important for audits?

Open an interactive chat with Bash

What other steps are essential in identifying the audit scope besides using a DFD?

Open an interactive chat with Bash

How does a data-flow diagram differ from a risk register in determining audit scope?

Open an interactive chat with Bash

What is a data-flow diagram and how does it help in scoping audits?

Open an interactive chat with Bash

How is a risk register different from a data-flow diagram in audits?

Open an interactive chat with Bash

Why is vulnerability scanning insufficient for defining audit scope?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot