Exam CISM topic 1 question 278 discussion

this is ongoing requirment

A. Requiring an external security audit of the IT service provider

What stops IT service provider from "cooking" their reports by falsifying information? So it can't be D. Only independent 3rd-party (external) audit can confirm compliance. My company is being audited by our customers (large financial entities) regularly because our customers want to know whether or not are we full of crap when we say that we handle their data and other stuff as they require us to. :)

The BEST answer for questions that involve reporting is always having an independent party audit. Anything internal can involve inaccurate information which makes D not the right answer. Answer is A.

D. Requiring regular reporting from the IT service provider. While all of the options listed can contribute to information security, requiring regular reporting from the IT service provider is a proactive measure that allows the organization to monitor and verify the IT service provider's compliance with information security requirements on an ongoing basis. This reporting can include key performance indicators (KPIs), security incident reports, compliance checklists, and other relevant information. Regular reporting provides transparency and accountability, making it easier to identify and address any potential security issues or deviations from established security requirements promptly. It also ensures that the organization has up-to-date information about the IT service provider's security posture and can take corrective actions as needed

(D.) Requiring regular reporting from the IT service provider is incorrect cause the provider may have an incentive to not give complete or accurate information.

The correct answer is D. Requiring regular reporting from the IT service provider. Explanation: Among the options provided, requiring regular reporting from the IT service provider is the best approach to ensuring compliance with an organization's information security requirements. Here's why this option is the best choice: D. Requiring regular reporting from the IT service provider: Regular reporting ensures ongoing visibility into the IT service provider's activities, performance, and adherence to the organization's information security requirements. It provides a mechanism to monitor and verify compliance over time.

A single audit is only for EVALUATING current compliance as regular reporting is for ENSURING continuous compliance. So D is the good response.

From the CISM Review Manual, 15th Edition, by ISACA (Page 138): "A regular review of third-party reports is necessary to ensure ongoing compliance with contractual obligations."

A. Requiring an external security audit of the IT service provider Compliance = audit

D. Requiring regular reporting from the IT service provider

By requiring regular reporting from the IT service provider, the organization can obtain relevant information about the provider's compliance with the established information security requirements. Regular reporting allows for ongoing monitoring of the IT service provider's adherence to security controls, performance metrics, incident response, and other relevant aspects.

The correct answer is: (A.) Requiring an external security audit of the IT service provider. This is because you can't have the wolf guarding the henhouse. (i.e. Providers may lie, not provide accurate/complete information, but you can't do that with an independent auditor) Rationale: (B.) Defining the business recovery plan with the IT service provider is incorrect cause there is no way to measure this. (C.) Defining information security requirements with internal IT, that's great for your internal IT, but that excludes the provide so this is wrong. (D.) Requiring regular reporting from the IT service provider is incorrect cause the provider may have an incentive to not give complete or accurate information.

D. Requiring regular reporting from the IT service provider would be the best option to ensure compliance with an organization's information security requirements by an IT service provider. Regular reporting will help to ensure that the IT service provider is meeting the agreed-upon service level agreements and other security requirements. This reporting can include metrics such as system uptime, response times, security incidents, and compliance with security policies and standards. It will also enable the organization to identify potential security risks and take appropriate actions to mitigate them.