Certified Information Security Manager (CISM) — Question 330

An organization is considering using a third party to host sensitive archived data. Which of the following is MOST important to verify before entering into the relationship?

Answer options

• A. Independent audits of the vendor’s operations are regularly conducted.
• B. The vendor’s controls are in line with the organization’s security standards.
• C. The encryption keys are not provided to the vendor.
• D. The vendor’s data centers are in the same geographic region.

Correct answer: B

Explanation

Verifying that the vendor’s controls align with the organization’s security standards is essential to ensure that sensitive data is protected according to the organization's requirements. While independent audits (A) are important, they do not replace the need for alignment with the organization's standards. Not providing encryption keys to the vendor (C) and geographical location of data centers (D) are also relevant but secondary to the alignment of security controls.