nerdexam
(ISC)2

CISSP · Question #94

An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various computer systems. Which

The correct answer is C. The service provider will impose controls and protections that meet or exceed the current systems. The Information Security Department must verify that the service provider will impose controls and protections that meet or exceed the current systems controls and produce audit logs as verification. This is to ensure that the service provider will maintain or improve the securit

Submitted by helene.fr· Mar 5, 2026Security and Risk Management

Question

An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various computer systems. Which of the following MUST be verified by the Information Security Department?

Options

  • AThe service provider's policies are consistent with ISO/IEC27001 and there is evidence that the
  • BThe service provider will segregate the data within its systems and ensure that each region's
  • CThe service provider will impose controls and protections that meet or exceed the current systems
  • DThe service provider's policies can meet the requirements imposed by the new environment even

How the community answered

(52 responses)
  • A
    21% (11)
  • B
    13% (7)
  • C
    62% (32)
  • D
    4% (2)

Explanation

The Information Security Department must verify that the service provider will impose controls and protections that meet or exceed the current systems controls and produce audit logs as verification. This is to ensure that the service provider will maintain or improve the security posture of the organization, and that the organization will be able to monitor and audit the service provider's performance and compliance. The service provider's policies may or may not be consistent with ISO/IEC27001, but this is not a mandatory requirement, as long as the service provider can meet the organization's security needs and expectations. The service provider may or may not segregate the data within its systems, depending on the type and sensitivity of the data, and the contractual and regulatory obligations. The service provider's policies may differ from the organization's current policies, as long as they can meet the requirements imposed by the new environment, and are agreed upon by both parties.

Topics

#third-party risk management#vendor selection#security requirements#due diligence

Community Discussion

No community discussion yet for this question.

Full CISSP Practice