Certified Information Security Manager (CISM) — Question 566

An information security manager has become aware that a third-party provider is not in compliance with the statement of work (SOW). Which of the following is the
BEST course of action?

Answer options

• A. Assess the extent of the issue.
• B. Report the issue to legal personnel.
• C. Notify senior management of the issue.
• D. Initiate contract renegotiation.

Correct answer: A

Explanation

The best action is to assess the extent of the issue first to understand its impact before taking further steps. Reporting to legal or senior management without a clear understanding of the problem may lead to unnecessary escalation. Renegotiating the contract might be premature without knowing how serious the compliance issue is.