Exam CISM topic 1 question 825 discussion

D? The best way to assess the risk associated with using a Software as a Service (SaaS) vendor is to review the results of the vendor's independent control reports. This will help you to understand the vendor's security practices and procedures, and to identify any potential risks.

D - provide concrete evidence of the vendor’s compliance with security standards and their effectiveness in managing security risks.

The BEST way to assess the risk associated with using a Software as a Service (SaaS) vendor is option D: "Review the results of the vendor's independent control reports." Independent control reports, such as SOC 2 (Service Organization Control 2) reports, provide detailed information about a vendor's security controls and practices. These reports are typically issued by third-party auditors and can give you valuable insights into the effectiveness of the vendor's security measures.

D. Review the results of the vendor's independent control reports. SOC 2 reports are examples of a vendor's independent control report. These reports can help you assess the risk associated with a SaaS provider.

assess the risk is D

Reviewing the results of the vendor's independent control reports is the best approach because it involves assessing the vendor's security controls and practices through an independent, third-party audit or assessment. These reports, such as SOC 2 (System and Organization Controls) reports, provide detailed information about the effectiveness of the vendor's security controls and can give you a more objective view of their security posture.

Definitely A, how you can rely on ISO 27001 if you are choosing someone to process CID in financial institution? You need to have your own questionnaires and this is the best option.

Hi Guys, what is Isaca (formal) response to this question ? is it the one in green ? I don't understand how this site works.

The BEST way to "assess" the risk of a third-party is: A. Require vendors to complete information security questionnaires. Questionnaires provide current information relative to security requirements that important to your organization. Independent control reports may not be as timely or as current and do not necessarily reflect the risks most important your organization.

The best way to assess the risk associated with using a Software as a Service (SaaS) vendor is to review the results of the vendor's independent control reports. This will provide the most comprehensive assessment of the vendor's security controls, giving you a better understanding of the risks associated with the vendor.

D. Review the results of the vendor's independent control reports.