Certified Information Security Manager (CISM) — Question 932

Which of the following should an information security manager do FIRST upon notification of a potential security risk associated with a third-party service provider?

Answer options

• A. Determine risk treatment options.
• B. Conduct a vulnerability analysis.
• C. Escalate to the third-party provider.
• D. Conduct a risk analysis.

Correct answer: D

Explanation

The correct answer is D, as conducting a risk analysis is essential to understand the scope and implications of the potential security risk before taking further action. Options A and B are subsequent steps that may follow the risk assessment, while C, escalating to the third-party provider, is premature without first understanding the risk.