ISC2 Governance, Risk and Compliance (CGRC) Practice Test
Use the form below to configure your ISC2 Governance, Risk and Compliance (CGRC) Practice Test. The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
ISC2 Governance, Risk and Compliance (CGRC) Information
Overview of the CGRC Certification
The ISC2 Certified in Governance, Risk and Compliance (CGRC) credential replaced the Certified Authorization Professional (CAP) title on 15 February 2023 to better reflect the knowledge and skills demanded of modern GRC practitioners. CGRC holders are expected to integrate governance, risk management and regulatory compliance across multiple frameworks—capabilities now recognized by employers worldwide, including the U.S. Department of Defense, which lists the certification under DoDM 8140.03 workforce requirements. To earn the credential you must pass the exam and document at least two years of paid, cumulative work experience in one or more of the seven CGRC domains; candidates lacking the experience can become an Associate of ISC2 while they accrue it.
Exam Format and Content
The computer-based CGRC exam lasts three hours and presents 125 multiple-choice or advanced-item questions. A scaled score of 700 out of 1,000 is required to pass. Content is distributed across seven domains—such as Security and Privacy Governance, Risk Management and Compliance Program (16 %), Implementation of Security and Privacy Controls (17 %) and Compliance Maintenance (13 %)—reflecting the 2024 job-task-analysis update. In the Americas the registration fee is US $599, and testing is delivered exclusively through Pearson VUE centers. Understanding both the weighting and the time limit lets you allocate study hours and develop pacing strategies that mirror the real exam.
The Power of Practice Exams
Timed, high-quality practice exams are one of the quickest ways to convert reading into exam-day readiness. They reveal whether your conceptual understanding holds up under a three-hour clock, spotlight weak domains early, and acclimate you to ISC2’s scenario-driven questioning style. ISC2 recommends using practice assessments to verify comprehension and identify gaps—not to memorize answers—because the real CGRC exam rewards depth of understanding over rote recall. Many candidates track scores by domain until they consistently exceed the 700-point benchmark, using post-test reviews to drill into missed concepts and refine time management.
Putting It All Together: A Strategic Study Plan
Map the exam outline to a calendar that back-loads heavier-weighted domains and includes weekly practice-test checkpoints. Blend modalities: official ISC2 Online Self-Paced or Instructor-Led training, white-papers and control catalogs keep the material fresh and contextual. Adaptive platforms can personalize that journey by flagging knowledge gaps and shortening review cycles, letting you spend more time where it matters. In the final weeks, rotate full-length practice exams with focused drills, refine your test-taking routine (breaks, hydration, mindfulness) and book the real exam when your timed practice scores stabilize above target. This metrics-driven approach not only boosts the odds of a first-time pass but also builds the confidence to apply GRC principles on the job.
Free ISC2 Governance, Risk and Compliance (CGRC) Practice Test
- 20 Questions
- Unlimited time
- Security and Privacy Governance, Risk Management, and Compliance ProgramScope of the SystemSelection and Approval of Framework, Security, and Privacy ControlsImplementation of Security and Privacy ControlsAssessment/Audit of Security and Privacy ControlsSystem ComplianceCompliance Maintenance
During RMF Step 5 you are advising an Authorizing Official on whether to accept residual risk for an agency's new payment portal that will store cardholder primary account numbers. The system owner proposes leaving the data unencrypted because the assessed likelihood of compromise is low and encryption will delay deployment. Which explanation best justifies rejecting this risk-acceptance request?
OMB Circular A-123 requires financial risks to be transferred through insurance or contractual clauses, so acceptance is not an available option.
NIST SP 800-37 expressly prohibits accepting any residual confidentiality risk that is rated moderate or higher, mandating additional mitigation.
Storing unencrypted PAN violates PCI DSS, which requires cardholder data to be unreadable at rest, so the risk cannot be accepted regardless of cost or schedule pressures.
FIPS 199 still needs to be applied to categorize the system; without that step no residual risk decision can be made, so acceptance is premature rather than impermissible.
Answer Description
Risk acceptance decisions must honor mandatory regulatory requirements. The Payment Card Industry Data Security Standard (PCI DSS) Requirement 3 demands that primary account numbers be rendered unreadable (for example, by strong encryption) whenever stored. Because PCI DSS compliance is compulsory for any system that processes or stores cardholder data, the Authorizing Official cannot override this obligation simply by agreeing to accept the risk. The other statements are incorrect: FIPS 199 categorization would already have been completed in earlier RMF steps, NIST SP 800-37 does not forbid accepting moderate confidentiality risk, and OMB Circular A-123 addresses internal controls but does not require financial risks to be transferred.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI DSS and why is it mandatory for systems handling cardholder data?
What does RMF Step 5 entail in the risk management process?
Why is encryption necessary for storing primary account numbers (PAN), and how does it comply with PCI DSS?
An agency system recently received a three-year Authorization to Operate. To keep senior organizational officials informed of the system's ongoing compliance posture during continuous monitoring, which artifact should the security team routinely update and forward to them?
A current network boundary diagram for the information system
The original Security Assessment Report produced for the authorization decision
An updated Plan of Action and Milestones showing remediation status
The system's Configuration Management Plan describing baseline control settings
Answer Description
Senior officials need a concise view of outstanding weaknesses and the progress of corrective actions. The Plan of Action and Milestones (POA&M) is the RMF document designed for that purpose; it is kept current and distributed so executives can track mitigation status and residual risk. The original Security Assessment Report is a historical snapshot, not a living report. A Configuration Management Plan describes baseline processes but does not convey current compliance status. A boundary diagram is useful for architecture reviews, yet it does not communicate risk remediation progress.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Plan of Action and Milestones (POA&M)?
How does continuous monitoring support system compliance in RMF?
Why is the POA&M more relevant than the Security Assessment Report (SAR) for ongoing monitoring?
During preparation for a controls assessment of a cloud-hosted payroll system, the assessor begins gathering documentation to establish preliminary evidence of compliance. Which document should be examined first because it fully describes the system environment and the planned security controls?
Latest automated configuration baseline snapshot of production servers
Signed Authorization to Operate letter issued by the Authorizing Official
Current Plan of Action and Milestones detailing outstanding findings
System Security Plan for the payroll system
Answer Description
A System Security Plan (SSP) is the foundational document in the Risk Management Framework that details the system's boundaries, operational environment, and every security control selected or implemented. Assessors rely on the SSP to understand how the organization intends to meet each control requirement before they decide what additional evidence, interviews, or technical tests are necessary. A Plan of Action and Milestones focuses only on outstanding deficiencies and does not provide a complete control picture. An Authorization to Operate letter merely records the authorizing official's decision and gives no detail about control implementation. A configuration baseline snapshot is useful for technical verification but lacks the broader context of all administrative, technical, and managerial controls. Therefore, reviewing the SSP first gives the assessor the most comprehensive starting point for evaluating compliance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of a System Security Plan (SSP)?
What is the Risk Management Framework (RMF)?
How does an SSP differ from a Plan of Action and Milestones (POA&M)?
You are performing a final review of an authorization package before sending it to the authorizing official. Several minor editorial issues exist, but you also notice that two control weaknesses described in the Security Assessment Report (SAR) are missing from the Plan of Action and Milestones (POA&M). Which of the following omissions is most likely to delay the authorization decision if it is not corrected?
Correcting the cover page to list the accurate system name and version.
Reformatting section headings so all documents follow the current style guide.
Ensuring each SAR-identified control deficiency is entered in the POA&M with a remediation plan and milestones.
Updating the SSP so it references the latest hardware and software inventory baseline.
Answer Description
Untracked control deficiencies present a direct gap in the risk picture the authorizing official needs to see. If weaknesses documented in the SAR do not appear in the POA&M with planned remediation steps and milestones, the organization cannot demonstrate that it is managing those risks, which often results in the authorization decision being postponed. Editorial issues such as inventory currency, document titles, or formatting rarely cause a delay as long as the underlying control status is transparent and properly managed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Security Assessment Report (SAR) and its role in the authorization process?
What is the Plan of Action and Milestones (POA&M), and why is it important in managing risks?
Why does failing to document SAR-identified control deficiencies in the POA&M delay authorization decisions?
While planning a security assessment of the organization's new payroll platform, the lead assessor must invite all key stakeholders to the kickoff meeting. Which stakeholder is chiefly accountable for day-to-day management and life-cycle decisions of the information system and therefore must attend?
Information owner
Independent auditor or assessor
System owner
Chief information security officer (CISO)
Answer Description
The system owner has primary responsibility for the overall procurement, development, integration, modification, operation, maintenance, and eventual disposal of an information system. Because this role is accountable for day-to-day management and life-cycle decisions, the system owner must be involved from the outset of any assessment or audit.
The information owner focuses on data-specific policies, not system operation. An independent auditor/assessor conducts the review but is not responsible for system decisions. The CISO sets enterprise security strategy and oversight but does not manage individual system life cycles. Therefore, including the system owner is essential when establishing stakeholder participation for the assessment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of a system owner in information system management?
How does the role of a system owner differ from an information owner?
Why is the system owner essential for an assessment kickoff meeting?
What are the primary responsibilities of a system owner?
How does a system owner differ from an information owner?
Why doesn’t the CISO or auditor manage the system lifecycle?
What is the difference between a system owner and an information owner?
Why is the system owner's participation critical in a security assessment?
What role does the CISO play compared to the system owner in security assessments?
After performing an ISO/IEC 27001 risk assessment, the ISMS team selects a subset of Annex A controls tailored to its environment. Before seeking certification, which required document must list every selected control, indicate whether it is implemented or not, and provide a justification for any controls the organization chooses to exclude?
Risk Treatment Plan
Control Implementation Matrix
Statement of Applicability
Security Test and Evaluation Report
Answer Description
ISO/IEC 27001 clause 6.1.3 d mandates creation of a Statement of Applicability (SoA). The SoA maps each Annex A control to the organization's risk treatment results, shows its implementation status, and records a rationale for inclusion or justified exclusion. A Risk Treatment Plan schedules actions but does not track implementation status control-by-control. A generic control implementation matrix is not a prescribed ISO/IEC 27001 artifact, and a Security Test and Evaluation Report is associated with other frameworks, not the ISMS certification process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the Statement of Applicability (SoA) in ISO/IEC 27001?
How is the Statement of Applicability different from a Risk Treatment Plan?
What kinds of information must be included in the Statement of Applicability for ISO/IEC 27001 compliance?
During control tailoring for a moderate-impact federal system that will create and email Controlled Technical Information (CTI), a form of CUI, you must ensure every electronic file is automatically tagged with the required CUI banner whenever it is created, stored, or transmitted. Which NIST SP 800-53 Rev. 5 control or control enhancement should you allocate to satisfy this requirement?
PL-4 Rules of Behavior
MP-3 Media Marking
SC-12 Cryptographic Key Establishment and Management
AC-16(1) Security and Privacy Attributes | Automated Marking
Answer Description
AC-16 establishes the requirement to associate security and privacy attributes-such as CUI designations-with information in a system. Enhancement (1), Automated Marking, specifically requires the system to automatically generate and apply those markings when the information is created, processed, stored, or transmitted. MP-3 focuses on labeling physical or removable media but does not mandate automated tagging of individual electronic files. SC-12 addresses cryptographic key management rather than data marking. PL-4 defines user behavior rules and likewise does not create or enforce automated CUI banners. Therefore, AC-16(1) is the control enhancement that directly meets the automated CUI marking requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does AC-16(1) Automated Marking mean in NIST SP 800-53 Rev. 5?
Why is MP-3 Media Marking not suitable for automated tagging of CUI in electronic files?
Can you explain the difference between SC-12 and AC-16 in terms of data protection?
What does AC-16(1) control enhancement specify?
What is the difference between AC-16(1) and MP-3?
Why is automated marking important for managing CUI?
During scoping for a compliance assessment, your team debates including the externally hosted CRM SaaS that exchanges customer PII with on-premises systems. Which factor provides the strongest justification for keeping the SaaS in scope?
Collecting audit evidence from a SaaS vendor will lengthen the project schedule.
The service processes and stores regulated customer data integral to business workflows.
Its servers are physically located outside the corporate data center.
The SaaS provider, not the organization, owns and manages the underlying hardware.
Answer Description
Scope is defined by whether a component processes, stores, or transmits organizational information that is subject to the assessment objectives. Because the CRM SaaS handles regulated customer data and ties directly into core business workflows, it must be considered part of the system boundary. Physical location and ownership of hardware do not remove compliance obligations, and the difficulty or cost of evidence collection does not determine scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean for a system to be 'in scope' during a compliance assessment?
Why does regulated customer data impact whether a service is in scope?
Why are physical location and ownership of hardware not determining factors for compliance scope?
Why does handling regulated customer data make the CRM SaaS part of the compliance scope?
What does ‘system boundary’ mean in compliance assessments?
Why doesn’t physical location or hardware ownership affect compliance obligations?
While finalizing a system's risk response plan, the security team needs a place to log each security control deficiency that senior management has decided to accept for now, as well as any weaknesses that are only partly remediated so they remain visible until closed. In which document or section should these unresolved items be recorded for ongoing tracking and oversight?
Executive summary of the assessment report
Plan of Action and Milestones (POA&M)
Communication matrix in the risk response plan
Testing methodology annex
Answer Description
The Plan of Action and Milestones (POA&M) is the authoritative artifact for tracking security-control weaknesses that remain unresolved or have been formally accepted. For every deficiency it captures the planned corrective actions, required resources, responsible parties, and target or milestone dates, ensuring the issue stays visible until it is remediated or permanently accepted. A communication matrix merely specifies who will exchange risk information, the testing methodology annex describes assessment procedures, and an executive summary offers only a high-level overview-none of these provide the detailed, line-item tracking required for open control deficiencies.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is the Plan of Action and Milestones (POA&M) considered the authoritative artifact for tracking security-control weaknesses?
What kind of details are logged in a POA&M for each security-control deficiency?
How does a POA&M differ from other documents like a communication matrix or an executive summary?
An initial assessment report identifies a critical vulnerability in a vendor-supplied data-integration appliance. Replacing the appliance is not feasible this quarter, so you propose tightening firewall rules and deploying a host-based IPS until a patch is released. Which risk-response category best describes this approach?
Avoid the risk by discontinuing use of the vulnerable appliance immediately.
Mitigate the risk by reducing its likelihood or impact through additional controls.
Accept the risk and take no further action until the vendor releases a patch.
Transfer the risk by purchasing or expanding a cyber-insurance policy.
Answer Description
Strengthening existing safeguards to lower the likelihood or impact of a vulnerability is an example of risk mitigation. You are not eliminating the appliance altogether (avoidance), living with the unaltered risk (acceptance), or shifting liability to another party (transfer/share). Instead, you are adding compensating controls to reduce the risk level until the vendor patch is available, which aligns with a mitigation strategy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is risk mitigation in cybersecurity?
What is a host-based IPS, and how does it help mitigate risks?
How do tightening firewall rules help reduce vulnerabilities?
Your organization is deploying a new cloud-hosted payroll application. During planning you note that authentication, account management, and audit logging will all be provided by the existing enterprise identity-and-access management service that supports many other systems. In the system security plan, how should these inherited safeguards be categorized?
Common controls
Hybrid controls
System-specific controls
Discretionary controls
Answer Description
Because the identity-and-access management service is implemented, assessed, and authorized at the organizational level, its safeguards are considered common controls that multiple information systems can inherit. System-specific controls are tailored only to the payroll system itself, while hybrid controls split responsibility between system and provider. Discretionary controls describe a type of access control decision method, not a category of inheritability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are common controls in system security?
What is the difference between system-specific controls and hybrid controls?
Why aren’t discretionary controls relevant in this scenario?
Your agency categorizes a new national-security system as high-impact across confidentiality, integrity, and availability. When building the security plan, which approach correctly applies NIST SP 800-53B requirements for establishing the high-impact control baseline?
Implement all controls and enhancements in the high baseline, removing only those formally tailored out and documented.
Deploy only the controls shared by all three baselines, adding the rest during continuous monitoring.
Apply only catalog controls designated as priority 1 (P1) for high-impact systems.
Start with the low-impact baseline and customize it because the high rating is driven solely by confidentiality.
Answer Description
NIST SP 800-53B instructs organizations to begin with the entire high-impact baseline-this includes every control and enhancement identified for high systems. Tailoring is permitted, but any control removed or downgraded must be justified and documented in the System Security Plan. Simply implementing common controls, selecting only P1 items, or starting from the low baseline contradicts the guidance because those methods omit protections that the high-impact baseline presumes necessary to prevent severe or catastrophic harm.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-53B?
What does tailoring controls mean in NIST SP 800-53B?
What is the significance of a high-impact baseline?
What is NIST SP 800-53B?
Why is tailoring controls important in NIST SP 800-53B?
What are priority 1 (P1) controls in NIST SP 800-53B?
Your agency is preparing to retire a legacy payroll application that handled large volumes of PII. Under the Disposal phase activities defined in NIST SP 800-64 Revision 2, which step must the team perform first before creating the formal disposal or transition plan and before any sanitization, archiving, or de-installation tasks begin?
Identify and inventory every component and data set that will be removed from service.
Create and approve a detailed system disposal/transition plan describing sanitization and shutdown activities.
Sanitize all storage media using an approved multi-pass overwrite or physical destruction method.
Export audit logs and configuration files to a long-term archival repository.
Answer Description
NIST SP 800-64 Rev. 2 (Table 3-15) lists the initial activity in the Disposal phase as identifying and inventorying all hardware, software, and data that will be removed from service. This inventory establishes exactly what assets and information must be addressed. Only after completing this accounting does the organization develop and approve a disposal or transition plan that details how the inventoried components will be sanitized, archived, transferred, or destroyed. Revoking the ATO, exporting audit logs, and performing media sanitization are later tasks executed in accordance with that approved plan.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does NIST SP 800-64 Revision 2 define as the initial step in the system Disposal phase?
How does identifying and inventorying components help in system disposal?
What steps follow inventorying components in the Disposal phase as per NIST SP 800-64 Rev. 2?
Your audit team has documented objectives, scope, resources, methods, schedule, and logistics for a federal information system assessment. According to NIST guidance, what action must you take to formally finalize the assessment plan before fieldwork begins?
Obtain documented approval of the assessment plan from the authorizing official and system owner
Purchase vulnerability-scanning licenses and create tester accounts
Incorporate preliminary findings from previous assessments into the plan
Hold a kickoff meeting to brief assessors on rules of engagement
Answer Description
NIST SP 800-115 and SP 800-53A both state that an assessment or testing plan is not considered final until it receives formal approval from senior management-typically the authorizing official and the system owner. Their sign-off confirms that the defined scope, methods, resources, and schedule meet organizational and regulatory expectations and that management accepts any residual risks associated with the planned activities.
The other options describe useful preparation tasks but they do not constitute formal plan finalization. A kickoff briefing (option B) is normally scheduled after the plan is approved. Procuring tools and test accounts (option C) supports execution but can proceed only once the plan is authorized. Adding preliminary findings from earlier audits (option D) may enhance context, yet it is not a prerequisite for plan approval. Therefore, obtaining documented management approval is the required step to complete the assessment plan.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of the authorizing official in the assessment process?
What is NIST SP 800-53A, and how does it relate to assessment plans?
Why is formal approval of the assessment plan necessary in compliance audits?
After selecting the NIST SP 800-53 moderate baseline for a new cloud-hosted system, the risk assessment reveals that administrators will sometimes perform remote maintenance from personally owned laptops on untrusted networks. To apply an appropriate security practice as a control enhancement, which additional requirement should be documented in the System Security Plan (SSP)?
Disable automatic session timeouts to prevent disruption of long-running administrative tasks.
Require multifactor authentication for all privileged remote sessions.
Reduce audit log retention from 90 to 30 days to minimize storage costs.
Permit the use of legacy SSH version 1 clients for backward compatibility.
Answer Description
Because privileged users may connect from unmanaged, potentially insecure devices and networks, the threat of credential theft or session hijacking increases. Requiring multifactor authentication (MFA) for all privileged remote sessions is a widely adopted safeguard that aligns with NIST SP 800-53 Revision 5 control IA-2(11), which mandates MFA for remote access by both privileged and non-privileged users. Implementing MFA makes it far harder for attackers to compromise accounts with stolen passwords alone. By contrast, reducing log retention, allowing obsolete SSH v1, or disabling session timeouts would decrease security and fail to mitigate the identified risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is multifactor authentication (MFA) and why is it important?
What is NIST SP 800-53 and why is it used in security frameworks?
Why is remote maintenance from personal and unmanaged laptops risky?
While documenting the System Security Plan for a newly deployed cloud-based case-management system, the security architect must define the system's authorization boundary. Which element is most essential to capture in that boundary description to meet RMF requirements?
An appendix outlining the data-retention schedule for each record type handled by the system
The organization's enterprise-wide privacy policy and related procedures
A roster of users who have privileged roles within the case-management application
A comprehensive inventory of all hardware, software, and network interfaces that store, process, or transmit the system's information
Answer Description
The primary purpose of an authorization boundary is to identify every component that stores, processes, or transmits the system's information so that assessors and authorizing officials know precisely what must be protected and evaluated. Listing all hardware, software, and network interfaces establishes the scope of the security assessment and control implementation. Although data-retention schedules, privileged-user lists, and overarching privacy policies are important artifacts within a complete System Security Plan, they do not by themselves establish where the system begins and ends or what resources are subject to control selection. Therefore, specifying all system components and interconnections is the most critical detail for the authorization boundary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is an inventory of hardware, software, and network interfaces critical to defining the authorization boundary?
What is the main purpose of the RMF authorization boundary?
How do assessors evaluate system security using an authorization boundary?
For a federal cloud-hosted financial system, after controls implementation the assessment reveals two moderate and one high residual risks. The system owner insists on going live next week. To secure stakeholder concurrence with the proposed risk acceptance, what should the CGRC professional do next?
List the residual risks on the POA&M and move the system to production without further approvals.
Update the contract to transfer the high risk to the cloud service provider and skip internal authorization.
Lower the high residual risk to moderate in the SSP so it falls within organizational tolerance and proceed.
Draft a formal risk-acceptance memorandum and obtain signatures from the authorizing official and business owner, then add it to the authorization package.
Answer Description
Risk acceptance must be formally approved by those who have the authority to bear that risk. Under the NIST RMF, the authorizing official documents an Authorization Decision in which the residual risk is either accepted, mitigated, or the system is denied operation. A written risk-acceptance memorandum or Authorization Decision signed by the authorizing official (and usually acknowledged by the system/business owner) satisfies the requirement for stakeholder concurrence. Simply adding items to a POA&M, re-classifying risk levels, or transferring risk without formal agreements does not constitute documented concurrence and would violate RMF process expectations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST RMF and how does it relate to risk management?
What is residual risk and why must it be documented?
Who is the authorizing official in the RMF process, and what is their role?
What is a residual risk in the NIST RMF process?
Who is the authorizing official in the NIST RMF framework?
What is the purpose of a risk-acceptance memorandum in the NIST RMF?
Following security categorization, a U.S. federal agency wants to align its selected safeguards with an international standard that lists specific information security controls and offers implementation guidance to ensure confidentiality, integrity, and availability for each information type. Which ISO/IEC 27000-series standard should the team consult?
ISO/IEC 27005 - Information security risk management
ISO/IEC 27000 - Information security management systems - Overview and vocabulary
ISO/IEC 27002 - Code of practice for information security controls
ISO/IEC 27001 - Information security management systems - Requirements
Answer Description
The standard that enumerates detailed information security controls and provides implementation guidance is ISO/IEC 27002 (Code of practice for information security controls). It complements ISO/IEC 27001 by describing the objectives and recommended controls organizations may adopt to meet confidentiality, integrity, and availability requirements. ISO/IEC 27000 supplies only terminology and an overview, ISO/IEC 27001 specifies high-level management system requirements, and ISO/IEC 27005 focuses on risk management rather than listing specific security controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of ISO/IEC 27002 in information security?
How does ISO/IEC 27002 complement ISO/IEC 27001?
What is the difference between ISO/IEC 27002 and ISO/IEC 27005?
What is ISO/IEC 27002 and why is it important?
How does ISO/IEC 27002 differ from ISO/IEC 27001?
What role does ISO/IEC 27005 play in information security risk management?
When compiling the initial assessment report for a newly audited payment platform, you must include a risk mitigation summary for every critical vulnerability found. Which of the following best satisfies this requirement in the initial report phase?
A brief description of potential control or process improvements that could lower the likelihood or impact of the risk
A finalized remediation project plan with budgets, timelines, and assigned personnel
The formally accepted residual risk score after mitigation activities are completed
Documented proof that remediation tasks are finished and retested for effectiveness
Answer Description
The purpose of the risk mitigation summary in an initial assessment report is to give management a concise, high-level view of how each identified risk could be reduced. At this early point the assessor is not expected to deliver a full project plan or evidence of completed fixes. Instead, the report should briefly describe potential control enhancements or procedural changes that would lower the likelihood or impact of the vulnerability. Detailed budgets, residual-risk decisions, and verification of completed remediation occur later in the remediation and follow-up phases, so those items are inappropriate for the initial report.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a risk mitigation summary in the context of an initial assessment report?
What are control enhancements mentioned in the risk mitigation summary?
Why is a finalized remediation project plan not suitable for the initial report phase?
An EU customer writes to your compliance team stating that their mailing address on file is outdated and asks you to update it and include their new apartment number. Under GDPR, which specific data subject right are they exercising?
Right to erasure (right to be forgotten)
Right to object to processing
Right to rectification
Right to data portability
Answer Description
The request to correct inaccurate personal information and to complete missing details invokes the GDPR right to rectification. This right, set out in Article 16, allows individuals to have inaccurate personal data corrected without undue delay and, where incomplete, to have it completed. By contrast, the right to erasure (the 'right to be forgotten') concerns deleting data entirely, the right to data portability concerns receiving data in a structured, machine-readable format for transfer elsewhere, and the right to object allows individuals to oppose certain processing activities. None of those directly address the need to amend inaccurate or incomplete records, making rectification the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is GDPR Article 16 about?
How is the 'right to rectification' different from the 'right to erasure'?
What steps must organizations follow to comply with a rectification request under GDPR?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.