Certified Information Security Manager (CISM) — Question 28

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

Answer options

• A. Review the third-party contract with the organization's legal department.
• B. Communicate security policy with the third-party vendor.
• C. Ensure security is involved in the procurement process.
• D. Conduct an information security audit on the third-party vendor.

Correct answer: C

Explanation

The correct answer is C because involving security in the procurement process ensures that security requirements are integrated from the beginning, minimizing risks. While reviewing contracts (A), communicating policies (B), and conducting audits (D) are important, they are often reactive measures that may not adequately address security concerns upfront.