CompTIA CySA+ (CS0-002) — Question 213

An organization is concerned about the security posture of vendors with access to its facilities and systems. The organization wants to implement a vendor review process to ensure the policies implemented by vendors are in line with its own. Which of the following will provide the highest assurance of compliance?

Answer options

• A. An in-house red-team report
• B. A vendor self-assessment report
• C. An independent third-party audit report
• D. Internal and external scans from an approved third-party vulnerability vendor

Correct answer: C

Explanation

The independent third-party audit report (C) provides an objective assessment of compliance, ensuring that the vendor's policies meet the organization's standards. In contrast, the in-house red-team report (A) may be biased, while the vendor self-assessment report (B) lacks impartiality, and internal and external scans (D) do not comprehensively evaluate policy adherence.