Certified Information Security Manager (CISM) — Question 480

Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?

Answer options

• A. Select the data source.
• B. Review the confidentiality requirements.
• C. Identify the intended audience.
• D. Identify the data owner.

Correct answer: C

Explanation

Identifying the intended audience is crucial because it shapes the metrics that will be relevant and useful for reporting. Without knowing who will use the information, selecting appropriate data sources, confidentiality considerations, or data ownership may not effectively meet the reporting needs. The other options are important but should follow after understanding the audience.