nerdexam
(ISC)2

CISSP-ISSEP · Question #195

An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply.

The correct answer is A. Ascertaining the security posture of the organization's information system B. Reviewing security status reports and critical security documents C. Determining the requirement of reauthorization and reauthorizing information systems when. Authorizing Official (AO) Responsibilities An Authorizing Official is a senior executive accountable for formally accepting the risk of operating an information system. Options A, B, and C are correct because they directly reflect the AO's core mandate under frameworks like the N

Risk Management

Question

An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that apply.

Options

  • AAscertaining the security posture of the organization's information system
  • BReviewing security status reports and critical security documents
  • CDetermining the requirement of reauthorization and reauthorizing information systems when
  • DEstablishing and implementing the organization's continuous monitoring program

How the community answered

(28 responses)
  • A
    89% (25)
  • D
    11% (3)

Explanation

Authorizing Official (AO) Responsibilities

An Authorizing Official is a senior executive accountable for formally accepting the risk of operating an information system. Options A, B, and C are correct because they directly reflect the AO's core mandate under frameworks like the NIST Risk Management Framework: the AO must understand the system's security posture (A) to make informed risk decisions, review authorization packages and status reports (B) such as security plans and POA&Ms as inputs to those decisions, and trigger and execute reauthorization (C) when significant changes or time thresholds warrant a fresh risk acceptance.

Option D is incorrect because establishing and implementing the continuous monitoring program is the responsibility of security operations personnel (typically the ISSO or system owner), not the AO. The AO consumes the outputs of continuous monitoring to make ongoing authorization decisions - they don't build or run the program itself. Confusing "approving based on results" with "owning the program" is the trap here.

Memory tip: Think of the AO as a senior executive signing off on a risk - they read reports, assess posture, and say yes/no to authorization. They don't roll up their sleeves to build security programs. If an answer describes hands-on implementation or program setup, it belongs to someone else (ISSO, system owner), not the AO.

Topics

#Authorizing Official#Risk Management#ATO#Governance

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice