Certified Information Security Manager (CISM) — Question 876

An organization has decided to outsource IT operations. Which of the following should be the PRIMARY focus of the information security manager?

Answer options

• A. Business continuity contingency planning is provided.
• B. Security requirements are included in the vendor contract.
• C. External security audit results are reviewed.
• D. Service level agreements (SLAs) meet operational standards.

Correct answer: B

Explanation

The primary focus of the information security manager should be ensuring that security requirements are clearly defined in the vendor contract to protect the organization’s data. While business continuity, audit results, and service level agreements are important, they are secondary to establishing robust security measures with the vendor to mitigate risks associated with outsourcing.