Certified Information Systems Auditor (CISA) — Question 51

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Answer options

• A. Obtain evidence of the vendor's control self-assessment (CSA).
• B. Periodically review the service level agreement (SLA) with the vendor.
• C. Conduct periodic on-site assessments using agreed-upon criteria.
• D. Conduct an unannounced vulnerability assessment of vendor's IT systems.

Correct answer: C

Explanation

Conducting periodic on-site assessments using agreed-upon criteria (C) allows for direct observation and verification of the vendor's compliance with control levels. While obtaining evidence of a CSA (A) and reviewing the SLA (B) are beneficial, they do not provide the same level of assurance as an on-site assessment. An unannounced vulnerability assessment (D) may focus on security flaws rather than overall control compliance.