Certified Information Security Manager (CISM) — Question 825

An information security team is planning a security assessment of an existing vendor. Which of the following approaches is MOST helpful for properly scoping the assessment?

Answer options

• A. Review the vendor’s security policy.
• B. Review controls listed in the vendor contract.
• C. Focus the review on the infrastructure with the highest risk.
• D. Determine whether the vendor follows the selected security framework rules.

Correct answer: B

Explanation

The correct answer is B because the vendor contract outlines the specific security controls that the vendor is obligated to follow, which is essential for scoping the assessment. While reviewing the vendor's security policy, focusing on high-risk infrastructure, or determining adherence to a security framework can provide useful insights, they do not directly define the contractual obligations that are critical for the assessment's scope.