Certified in Risk and Information Systems Control (CRISC) — Question 1142

Which of the following provides a risk practitioner with the MOST reliable evidence of a third-party’s ability to protect the confidentiality of sensitive corporate information?

Answer options

• A. External audit reports
• B. Internal audit reports
• C. Control self-assessment (CSA) results
• D. A signed nondisclosure agreement (NDA)

Correct answer: A

Explanation

External audit reports are typically conducted by independent third parties and provide an objective assessment of a third-party's security controls. Internal audit reports may lack the same level of impartiality, while CSA results are self-reported and may not be as reliable. A signed NDA offers legal protection but does not serve as evidence of actual protective measures taken.