Certified in Risk and Information Systems Control (CRISC) — Question 836

It is MOST important that security controls for a new system be documented in:

Answer options

• A. the security policy
• B. testing requirements
• C. system requirements
• D. the implementation plan

Correct answer: C

Explanation

Documenting security controls in the system requirements is essential because it sets the foundation for how the system will be developed and ensures that security measures are integrated from the beginning. The other options, while important, do not serve as the primary reference for the integration of security controls into the system itself.