Certified Information Security Manager (CISM) — Question 962

Which of the following is the BEST indicator of the maturity level of a vendor risk management process?

Answer options

• A. Number of vendors rejected because of security review results
• B. Percentage of vendors that are regularly reviewed against defined criteria
• C. Percentage of vendors that have gone through the vendor on boarding process
• D. Average time required to complete the vendor risk management process

Correct answer: B

Explanation

The correct answer is B because the percentage of vendors regularly reviewed against defined criteria indicates an ongoing and systematic approach to managing vendor risk, reflecting a mature process. The other options focus on specific outcomes or metrics that do not necessarily indicate the overall effectiveness and thoroughness of the risk management process.