Certified in Risk and Information Systems Control (CRISC) — Question 406

A vendor manager reports that a previously compliant service provider had issues with its most recent security audit. Which of the following is the MOST important course of action?

Answer options

• A. Determine whether credits are due under the service level agreement (SLA)
• B. Schedule an independent audit of the vendor
• C. Ensure that the vendor remediates all identified issues
• D. Determine whether any of the issues could impact the business

Correct answer: D

Explanation

The most critical action is to assess if the identified issues pose a risk to the business, as this will guide the response strategy. While remediation and audits are important, understanding the potential impact on the business ensures that resources are allocated effectively to address the most pressing concerns first. The other options, while relevant, do not prioritize the immediate business implications of the security audit failure.