New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CISM Exam - Topic 6 Question 69 Discussion

Actual exam question for Isaca's CISM exam
Question #: 69
Topic #: 6
[All CISM Questions]

An information security team is planning a security assessment of an existing vendor. Which of the following approaches is MOST helpful for properly scoping the assessment?

Show Suggested Answer Hide Answer
Suggested Answer: B

Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor because it helps to determine the security requirements and expectations that the vendor has agreed to meet. A vendor contract is a legal document that defines the terms and conditions of the business relationship between the organization and the vendor, including the scope, deliverables, responsibilities, and obligations of both parties. A vendor contract should also specify the security controls that the vendor must implement and maintain to protect the organization's data and systems, such as encryption, authentication, access control, backup, monitoring, auditing, etc. Reviewing controls listed in the vendor contract helps to ensure that the security assessment covers all the relevant aspects of the vendor's security posture, as well as to identify any gaps or discrepancies between the contract and the actual practices. Therefore, reviewing controls listed in the vendor contract is the correct answer.


https://medstack.co/blog/vendor-security-assessments-understanding-the-basics/

https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf

https://securityscorecard.com/blog/how-to-conduct-vendor-security-assessment

by Theodora at Mar 16, 2024, 05:50 AM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Karon
3 months ago
Surprised this is even a question, isn't it obvious?
upvoted 0 times
...
Kenia
3 months ago
Wait, are we sure the vendor even follows any framework?
upvoted 0 times
...
Antonio
3 months ago
Definitely should check their security policy!
upvoted 0 times
...
Ahmed
4 months ago
I think reviewing the vendor contract is key too.
upvoted 0 times
...
Valentin
4 months ago
Focusing on high-risk infrastructure makes total sense!
upvoted 0 times
...
Latia
4 months ago
Reviewing the vendor's security policy sounds relevant, but I wonder if it provides enough detail for proper scoping.
upvoted 0 times
...
Laura
4 months ago
I feel like determining if the vendor follows a security framework could be really important, but I can't recall if it's the most critical step.
upvoted 0 times
...
Mayra
4 months ago
I remember a practice question where reviewing the vendor contract was emphasized. It seems like a solid approach to scope the assessment.
upvoted 0 times
...
Celia
5 months ago
I think focusing on the infrastructure with the highest risk makes sense, but I'm not sure if that's the only factor to consider.
upvoted 0 times
...
Selma
5 months ago
Reviewing the vendor's security framework and how they implement it seems like a good approach to me. That will give us a comprehensive view of their security posture.
upvoted 0 times
...
Nicolette
5 months ago
I think the key here is to scope the assessment based on the highest risk areas. That means focusing on the infrastructure that poses the biggest threats.
upvoted 0 times
...
Sylvia
5 months ago
Hmm, I'm a little unsure about this one. Should we be looking at their overall security policy or just the specific controls in the contract?
upvoted 0 times
...
Melinda
5 months ago
This seems like a pretty straightforward question. I'd focus on reviewing the vendor contract and the security controls they've agreed to.
upvoted 0 times
...
Felix
5 months ago
I've got this one! The answer is VMware vCenter Server. Distributed vSwitches are managed and configured through the vCenter interface, so vCenter is the required component to use them. I'm confident that's the right answer.
upvoted 0 times
...
Francis
5 months ago
Hmm, I'm a bit unsure about this one. I know legislative and regulatory changes can have a big impact, but I'm not sure which of these options is the best place to cover that. I'll have to think it through carefully.
upvoted 0 times
...
Tamera
5 months ago
I'm pretty confident about this one. The architect's main job is to make sure the software design is suitable for its purpose (C) and that the technical implementation is of high quality (B). They're not as directly responsible for things like performance or eliminating all errors.
upvoted 0 times
...
Hector
2 years ago
I think determining whether the vendor follows the selected security framework rules is crucial for the assessment.
upvoted 0 times
...
Serina
2 years ago
I believe reviewing the controls listed in the vendor contract is important too.
upvoted 0 times
...
Jacquelyne
2 years ago
I agree with Kayleigh, that way we can prioritize our assessment.
upvoted 0 times
...
Kayleigh
2 years ago
I think we should focus on the infrastructure with the highest risk.
upvoted 0 times
...

Save Cancel