Certified Information Security Manager (CISM) — Question 244

Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be
MOST helpful in determining the associated level of risk applied to each vendor?

Answer options

• A. Compliance requirements associated with the regulation
• B. Criticality of the service to the organization
• C. Corresponding breaches associated with each vendor
• D. Compensating controls in place to protect information security

Correct answer: B

Explanation

The criticality of the service to the organization is essential because it directly impacts the potential risk exposure if the vendor fails. While compliance requirements, corresponding breaches, and compensating controls are important, they do not provide as direct an assessment of risk related to the vendor's importance to the organization.