nerdexam
(ISC)2

CISSP · Question #897

A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the following BEST minimizes the

The correct answer is C. Verify all contracts before a merger occurs. This question tests knowledge of third-party risk management and due diligence practices during mergers and acquisitions. Proactive contract review before a merger is the most effective way to prevent inheriting non-compliant vendor agreements.

Submitted by viktor_hu· Mar 5, 2026Security and Risk Management

Question

A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the following BEST minimizes the risk of this happening again?

Options

  • ADefine additional security controls directly after the merger
  • BInclude a procurement officer in the merger team
  • CVerify all contracts before a merger occurs
  • DAssign a compliancy officer to review the merger conditions

How the community answered

(62 responses)
  • A
    5% (3)
  • B
    8% (5)
  • C
    68% (42)
  • D
    19% (12)

Why each option

This question tests knowledge of third-party risk management and due diligence practices during mergers and acquisitions. Proactive contract review before a merger is the most effective way to prevent inheriting non-compliant vendor agreements.

ADefine additional security controls directly after the merger

Defining additional security controls after the merger is a reactive measure that does not prevent the inheritance of non-compliant contracts, as the organization is already legally bound by those agreements at that point.

BInclude a procurement officer in the merger team

Including a procurement officer addresses purchasing processes going forward but does not specifically ensure that existing inherited contracts are reviewed for security compliance before the merger is completed.

CVerify all contracts before a merger occursCorrect

Verifying all contracts before a merger occurs is the most effective preventive control because it allows the security team to identify non-compliant outsourcing agreements during due diligence, before those contracts and their associated risks are legally inherited. This proactive approach enables the organization to renegotiate, terminate, or accept risk on problematic contracts prior to the merger being finalized, directly addressing the root cause of the problem described.

DAssign a compliancy officer to review the merger conditions

Assigning a compliance officer to review merger conditions is a broader administrative role that may not focus specifically on vetting individual outsourcing contracts for security requirement adherence prior to the merger.

Concept tested: Third-party risk management and merger due diligence

Source: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final

Topics

#Third-party risk#Mergers and acquisitions#Contract review#Due diligence

Community Discussion

No community discussion yet for this question.

Full CISSP Practice