Certified Information Security Manager (CISM) — Question 1246

Which of the following is the BEST method for managing information security compliance of third-party suppliers?

Answer options

• A. Develop specific information security policies for third parties.
• B. Conduct a vulnerability assessment of the third-party supplier.
• C. Include third-party supplier details in the risk register.
• D. Ensure information security requirements are addressed in the contract.

Correct answer: D

Explanation

The correct answer is D because including information security requirements in the contract ensures that suppliers are legally obligated to meet those standards. Options A and B are important but do not provide the same level of assurance as a contractual obligation. Option C is useful for tracking risks but does not directly enforce compliance.