Certified Information Systems Auditor (CISA) — Question 1444

Which of the following provides the BEST evidence that a third-party service provider's information security controls are effective?

Answer options

• A. Documentation of the service provider's security configuration controls
• B. An audit report of the controls by the service provider's external auditor
• C. An interview with the service provider's information security officer
• D. A review of the service provider's policies and procedures

Correct answer: B

Explanation

The correct answer, B, is a robust audit report from an external auditor, which provides an independent assessment of the effectiveness of the service provider's security controls. In contrast, options A and D are internal documents that may not reflect current practices, and option C relies on subjective information from the officer, which may not be as reliable as an independent audit.