CISM Question #494: Real Exam Question with Answer & Explanation

The correct answer is C: Periodically invoke audit clause within the contract.. The most effective way to ensure the information security risks associated with third-party services are understood is to periodically invoke the audit clause within the contract. This provides the organization with an opportunity to assess the third-party's security posture and

Submitted by kim_seoul· Apr 18, 2026Information Security Risk Management

Question

Which of the following is the MOST effective way to ensure the information security risk associated with third-party services is understood?

Options

AProvide security awareness training to third-party employees.
BConduct a security test of the services prior to implementation.
CPeriodically invoke audit clause within the contract.
DRegularly review the third party's compliance certifications.

Explanation

The most effective way to ensure the information security risks associated with third-party services are understood is to periodically invoke the audit clause within the contract. This provides the organization with an opportunity to assess the third-party's security posture and verify compliance with security requirements on an ongoing basis. While security training, pre- implementation testing, and compliance certification reviews are important, they are one-time or limited checks compared to regular, contractual audits that provide continuous insight into the third-party's security practices and help identify potential risks.

Topics

#Third-party risk management#Vendor risk assessment#Contractual audit rights#Ongoing risk monitoring

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions