Certified Information Security Manager (CISM) — Question 964

An enterprise has decided to procure security services from a third-party vendor to support its information security program. Which of the following is MOST important to include in the vendor selection criteria?

Answer options

• A. The maturity of the vendor's internal control environment
• B. Feedback from the vendor's previous clients
• C. Alignment of the vendor's business objectives with enterprise security goals
• D. Penetration testing against the vendor's network

Correct answer: C

Explanation

The correct answer, C, emphasizes the need for alignment between the vendor's goals and the enterprise's security objectives, ensuring a cohesive approach to security. While the maturity of internal controls (A), client feedback (B), and penetration testing (D) are important, they do not directly address the strategic alignment necessary for effective security collaboration.