CISM Question #632: Real Exam Question with Answer & Explanation

Question

An organization wants to migrate a proprietary application to be hosted by a third-party cloud hosting provider using a Platform as a Service (PaaS) model. Prior to selecting the cloud provider, what is MOST important for the organization to ensure?

Options

• AThe cloud provider can meet recovery point objectives (RPOs)
• BThe cloud provider adheres to applicable regulations
• CThe hosting contract has a termination clause
• DThe cloud provider's service level agreement (SLA) includes availability requirements

Explanation

Why B is correct: Before committing to any cloud provider, the organization must verify that the provider operates within applicable laws, industry regulations, and compliance frameworks (e.g., GDPR, HIPAA, SOC 2) - because no other operational concern matters if the arrangement is legally non-compliant from the start. Regulatory violations can result in fines, forced service termination, or legal liability that no SLA or RPO can remedy.

Why the distractors fall short:

• A (RPO) - Recovery objectives are important for business continuity planning, but they're an operational concern negotiated after a compliant provider is identified.
• C (Termination clause) - A useful contract protection, but a secondary legal/contractual detail, not the foundational compliance check.
• D (SLA availability) - Availability guarantees matter for uptime, but an SLA is meaningless if the provider can't legally handle your data in the first place.

Memory tip: Think "compliance before contract" - regulatory adherence is the non-negotiable gate you must pass through first; everything else (RPO, SLA, exit clauses) is negotiated inside that gate. If a provider fails the compliance check, the other choices become irrelevant.

No community discussion yet for this question.