Certified in Risk and Information Systems Control (CRISC) — Question 994

Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Answer options

• A. Require independent control assessments.
• B. Review vendor service level agreement (SLA) metrics.
• C. Review vendor control self-assessments (CSA).
• D. Obtain vendor references from existing customers

Correct answer: A

Explanation

Requiring independent control assessments provides an unbiased evaluation of the vendor's security controls, ensuring they meet necessary standards. In contrast, reviewing SLAs, self-assessments, or customer references may not provide the same level of assurance, as these can be subject to bias or may not reflect the current state of security effectiveness.