Certified Information Security Manager (CISM) — Question 108

Which of the following provides the BEST assurance that a contracted third-party provider meets an organization's security requirements?

Answer options

• A. Continuous monitoring
• B. Due diligence questionnaires
• C. Right-to-audit clause in the contract
• D. Performance metrics

Correct answer: C

Explanation

The right-to-audit clause in the contract allows an organization to verify compliance with security requirements directly. While continuous monitoring, due diligence questionnaires, and performance metrics are useful, they do not provide the same level of assurance as having the contractual right to conduct audits, which can reveal real compliance issues.