Certified Information Security Manager (CISM) — Question 366

To confirm that a third-party provider complies with an organization's information security requirements, it is MOST important to ensure:

Answer options

• A. contract clauses comply with the organization's information security policy.
• B. security metrics are included in the service level agreement (SLA).
• C. the information security policy of the third-party service provider is reviewed.
• D. right to audit is included in the service level agreement (SLA).

Correct answer: D

Explanation

The correct answer is D because including the right to audit in the SLA allows the organization to verify compliance with security standards directly. Options A, B, and C, while important, do not provide the same level of direct oversight and assurance as the right to audit, which enables thorough evaluations of the third party's adherence to security practices.