Certified Information Security Manager (CISM) — Question 305

Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?

Answer options

• A. Including information security clauses within contracts
• B. Auditing the service delivery of third-party providers
• C. Providing information security training to third-party personnel
• D. Requiring third parties to sign confidentiality agreements

Correct answer: A

Explanation

Including information security clauses within contracts (Option A) is the most effective approach as it legally binds third-party providers to comply with the organization's security requirements. While auditing (Option B) and training (Option C) are beneficial, they do not ensure compliance as effectively as contractual obligations. Requiring confidentiality agreements (Option D) focuses on privacy but does not cover the broader scope of information security expectations.