IsacaIsaca
CRISC · Question #55
CRISC Question #55: Real Exam Question with Answer & Explanation
The correct answer is A: testing requirements. It is most important that security controls for a new system be documented in testing requirements, as this ensures that their effectiveness can be formally validated before deployment.
Submitted by tunde_lagos· Apr 18, 2026Risk Response and Reporting
Question
It is MOST important that security controls for a new system be documented in:
Options
- Atesting requirements
- Bthe implementation plan.
- CSystem requirements
- DThe security policy
Explanation
It is most important that security controls for a new system be documented in testing requirements, as this ensures that their effectiveness can be formally validated before deployment.
Common mistakes.
- B. The implementation plan outlines how controls will be deployed, but it doesn't specify what needs to be tested or the criteria for successful verification of those controls.
- C. System requirements describe the overall functions and non-functional aspects of the system, including security requirements, but the specific documentation of controls for testing goes beyond general system requirements.
- D. The security policy sets the high-level organizational rules and objectives, but it typically doesn't contain the detailed, testable specifications for individual security controls of a new system.
Concept tested. Documenting security controls for validation
Topics
#Security Controls Documentation#Control Testing#System Development Life Cycle (SDLC)#Risk Response Validation
Community Discussion
No community discussion yet for this question.