Certified in Risk and Information Systems Control (CRISC) — Question 899

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Answer options

• A. To assess the vendor's risk mitigation plans
• B. To verify the vendor's ongoing financial viability
• C. To monitor the vendor's control effectiveness
• D. To provide input to the organization's risk appetite

Correct answer: C

Explanation

The correct answer is C, as monitoring the effectiveness of a vendor's controls is crucial for ensuring they continue to meet security and compliance requirements. While assessing risk mitigation plans, financial viability, and providing input to risk appetite are important, they do not focus primarily on the ongoing effectiveness of the vendor's controls.