Certified Information Security Manager (CISM) — Question 1100

Which of the following is an information security manager’s MOST important action during the third-party provider selection process?

Answer options

• A. Determining it the third party is sufficiently staffed
• B. Performing a network penetration test
• C. Analyzing the third party’s existing control environment
• D. Consulting with the third party’s clients

Correct answer: C

Explanation

The correct answer is C because analyzing the third party's existing control environment helps ensure that their security practices align with the organization's needs. Options A, B, and D, while important, do not directly assess the overall security posture and controls necessary for effective risk management in the selection process.