Exam CISM topic 1 question 58 discussion

Identifying the intended audience is crucial because different stakeholders may have different interests and priorities when it comes to vendor risk management. Understanding who will receive the metrics helps in tailoring the metrics to meet the specific needs and expectations of the audience. This ensures that the reported metrics are relevant, meaningful, and useful for the intended recipients. While other factors, such as selecting the data source (option A), reviewing confidentiality requirements (option B), and identifying the data owner (option D), are important considerations, determining the intended audience should be the initial step to guide the selection of appropriate performance metrics.

C. Identify the intended audience. Before diving into the specifics of data sources (A), confidentiality requirements (B), or data owners (D), it's crucial to determine who will be receiving and using the performance metrics. Different audiences may have varying needs and priorities when it comes to vendor risk management metrics. Identifying the intended audience will help tailor the selection of metrics to meet their specific requirements and ensure that the metrics are relevant and meaningful to the stakeholders involved. Once the intended audience is clear, you can then proceed to consider factors such as data sources, confidentiality requirements, and data ownership to ensure that the selected metrics are both accurate and compliant with organizational policies and regulations.

C. Identify the intended audience.

Acquiring a new company can introduce significant security risks for an organization, particularly if the acquired company has different security policies, procedures, and standards than the acquiring organization. Therefore, it is essential for the information security manager of Company A to thoroughly assess and evaluate the security posture of Company B before the acquisition is completed.