CISSP Question #243: Real Exam Question with Answer & Explanation

The correct answer is C: Quantify the risk to the business for product selection.. According to the CISSP All-in-One Exam Guide1, the greatest responsibility of Information Security when evaluating third-party applications is to quantify the risk to the business for product selection. This means that Information Security should assess the potential impact and l

Submitted by ashley.k· Mar 5, 2026Security and Risk Management

Question

When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security?

Options

AAccept the risk on behalf of the organization.
BReport findings to the business to determine security gaps.
CQuantify the risk to the business for product selection.
DApprove the application that best meets security requirements.

Explanation

According to the CISSP All-in-One Exam Guide1, the greatest responsibility of Information Security when evaluating third-party applications is to quantify the risk to the business for product selection. This means that Information Security should assess the potential impact and likelihood of threats and vulnerabilities associated with the applications, and communicate the results to the business stakeholders who are responsible for making the final decision. Information Security should not accept the risk on behalf of the organization, report findings to the business without providing risk analysis, or approve the application that best meets security requirements without considering the business needs and objectives.

Topics

#third-party risk#risk quantification#vendor management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions