Which action is part of building an effective assurance case?

An assurance case is a structured argument that a system meets its security requirements. The essential activity in building it is gathering relevant evidence and presenting it in a clear, coherent way that directly supports the claims about security and risk posture. This means collecting artifacts such as test results, vulnerability assessments, control mappings, design documentation, and incident response drill results, and then explaining how each piece of evidence substantiates the claims and mitigates risks. Presenting evidence in a well-organized narrative helps stakeholders see exactly how confidence in security is achieved. Budget planning is about resource allocation and scheduling, not the process of constructing the substantiated argument itself. Code review can provide important inputs that become part of the evidence, but it’s not the act of compiling and presenting the evidence that forms the assurance case. Deployment schedule concerns timing and rollout, which are outside the core activity of building the assurance case.