Certified Information Security Manager (CISM) — Question 888

An information security manager has recently been notified of potential security risks associated with a third-party service provider. What should be done NEXT to address this concern?

Answer options

• A. Escalate to the chief risk officer (CRO).
• B. Conduct a vulnerability analysis.
• C. Conduct a risk analysis.
• D. Determine compensating controls.

Correct answer: C

Explanation

Conducting a risk analysis is crucial as it helps to evaluate the potential threats and vulnerabilities associated with the third-party service provider. While escalating to the CRO and identifying compensating controls are important steps, they should occur after a thorough risk assessment has been completed. A vulnerability analysis, while useful, does not provide a comprehensive view of the overall risk landscape.