Certified Information Security Manager (CISM) — Question 7

When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?

Answer options

• A. Develop metrics for vendor performance.
• B. Include information security criteria as part of vendor selection.
• C. Review third-party reports of potential vendors.
• D. Include information security clauses in the vendor contract.

Correct answer: B

Explanation

The correct answer is B because including information security criteria during vendor selection ensures that potential vendors are evaluated based on their ability to meet security requirements from the outset. The other options, while important, are subsequent steps that do not address the foundational requirement of establishing security standards in the initial selection process.