nerdexam
(ISC)2

CISSP · Question #1025

A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not add

The correct answer is C. Update the contract so that the vendor is obligated to provide security capabilities.. When software security is missing from a vendor contract, the contract itself-not the SLA-is the proper legal instrument to mandate security obligations, as it governs the overall terms of the vendor relationship.

Submitted by yuriko_h· Mar 5, 2026Software Development Security

Question

A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not addressed. What is the BEST approach to address the issue?

Options

  • AUpdate the service level agreement (SLA) to provide the organization the right to audit the
  • BUpdate the service level agreement (SLA) to require the vendor to provide security capabilities.
  • CUpdate the contract so that the vendor is obligated to provide security capabilities.
  • DUpdate the contract to require the vendor to perform security code reviews.

How the community answered

(47 responses)
  • A
    15% (7)
  • B
    9% (4)
  • C
    72% (34)
  • D
    4% (2)

Why each option

When software security is missing from a vendor contract, the contract itself-not the SLA-is the proper legal instrument to mandate security obligations, as it governs the overall terms of the vendor relationship.

AUpdate the service level agreement (SLA) to provide the organization the right to audit the

The SLA governs service performance metrics and availability targets, not the development-level security capabilities of the software itself, so auditing rights in the SLA would not obligate the vendor to build secure software.

BUpdate the service level agreement (SLA) to require the vendor to provide security capabilities.

The SLA is a supplementary document focused on operational service levels rather than development obligations; requiring security capabilities in the SLA is less enforceable and less appropriate than placing that requirement in the primary contract.

CUpdate the contract so that the vendor is obligated to provide security capabilities.Correct

The contract is the binding legal agreement that defines the vendor's obligations for software development, making it the most authoritative and enforceable place to require security capabilities. Updating the contract ensures that security requirements are legally obligatory from the outset of the engagement, not just operationally expected. This approach addresses the root issue-absent security language in the primary agreement-by embedding security obligations directly where they carry the most legal weight.

DUpdate the contract to require the vendor to perform security code reviews.

Requiring only security code reviews in the contract is too narrow-it addresses one specific activity rather than broadly obligating the vendor to provide comprehensive security capabilities throughout the software development lifecycle.

Concept tested: Vendor contract management and software security requirements

Source: https://www.nist.gov/system/files/documents/2021/10/28/NIST%20SP%20800-161%20Rev%201%20ipd.pdf

Topics

#Vendor management#Contract security#SLA#Software security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice