Certified Information Security Manager (CISM) — Question 301

An organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor. What should the information security manager do FIRST to support this initiative?

Answer options

• A. Review independent security assessment reports for each vendor.
• B. Benchmark each vendor's services with industry best practices.
• C. Define information security requirements and processes.
• D. Analyze the risks and propose mitigating controls.

Correct answer: C

Explanation

The correct answer is C because defining information security requirements and processes is essential for ensuring that the chosen vendor meets the organization's security needs. Options A, B, and D are important steps but should follow the establishment of clear requirements to guide the vendor selection process effectively.