Exam CISA topic 1 question 1718 discussion

D is correct. A is the second best answer. Simply because D is of a greater concern. D directly relates to CIA triad. confidentially being. pillar of this. Correct answer is D.

The absence of confidentiality terms (D) is the greatest concern because it directly jeopardizes the protection of PII, which is the core issue for a CRM system handling sensitive data. The CISA Review Manual underscores this in Chapter 5, Section 5.3.10: "Contracts with external parties should include provisions for security and privacy, including confidentiality agreements" (Page 392). Without these terms, there’s no contractual assurance of data protection, exposing the organization to legal, regulatory, and reputational risks. While a right-to-audit clause (A) is critical for oversight, its absence is less severe if confidentiality obligations exist, as it’s a means to enforce rather than define protection. SLAs (B) and availability requirements (C) are operational concerns, not directly tied to PII security.

A. Right-to-audit clause The absence of a right-to-audit clause would be the greatest concern in this scenario. This clause allows the organization to review and verify the third party’s compliance with security, privacy, and data protection requirements, especially important for a CRM system that contains personally identifiable information (PII). Without a right-to-audit clause, the organization may have limited ability to assess whether the third party is adequately protecting PII, which could increase risks related to data breaches and regulatory non-compliance. While SLAs, availability requirements, and confidentiality terms are also important, the right-to-audit clause is critical for ensuring ongoing compliance and accountability.

D is the correct answer. We care about the PII and the confidentiality terms which covers what is whos responsibility, to what level it needs to be protected and other things. Just because you have a right to audit clause does not mean that it meets the required standards, policies, or procedures necessary for your data that they are handling.

A right-to-audit clause allows the organisation to assess the third party's security controls, compliance with legal requirements, and handling of sensitive data like PII. Without this clause, the organisation cannot verify if the third party is properly protecting PII, which could expose the organisation to legal and compliance risks.

Option A because it is more comprehensive A right-to-audit clause is critical because it gives the client organization the contractual right to audit the vendor’s security controls, processes, and compliance. Without this, the client would have no way to verify that the vendor is properly securing the sensitive personal identifiable information (PII) as required. Confidentiality terms prohibit the vendor from disclosing data but don’t give the client the right to audit the vendor’s practices. Therefore, the absence of a right-to-audit clause would be the most concerning for an IS auditor reviewing this contract, as it removes the client’s ability to verify the vendor’s security and compliance through an audit. The right-to-audit is an essential safeguard for sensitive data hosted by third parties.

Since the CRM system contains personally identifiable information (PII), having clear and enforceable confidentiality terms is critical to ensuring the protection of sensitive data, the answer is option D

the right wnswer is D