Certified Information Security Manager (CISM) — Question 512

Which of the following is the BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor?

Answer options

• A. Require vendors to complete information security questionnaires.
• B. Request customer references from the vendor.
• C. Verify that information security requirements are included in the contract.
• D. Review the results of the vendor's independent control reports.

Correct answer: D

Explanation

Reviewing the vendor's independent control reports provides comprehensive insights into their security practices and risk management, making it the best option. While requiring security questionnaires and ensuring contract terms are important, they do not offer the same level of assurance as independent verification. Customer references can provide anecdotal evidence but lack the rigor of formal assessments.