Certified Information Security Manager (CISM) — Question 1020

An organization learns that a third party has outsourced critical functions to another external provider. Which of the following is the information security manager's MOST important course of action?

Answer options

• A. Engage an independent audit of the third party's external provider.
• B. Conduct an external audit of the contracted third party.
• C. Recommend canceling the contract with the third party.
• D. Evaluate the third party's agreements with its external provider.

Correct answer: D

Explanation

The most crucial action is to evaluate the third party's agreements with its external provider to understand the implications for security and compliance. Engaging an independent audit or conducting an external audit may be useful but are secondary to understanding the contractual obligations. Recommending to cancel the contract without a thorough evaluation could be premature and may not address the underlying risks.