Exam CISM topic 1 question 14 discussion

timely response = SLA

I agree with you - B

both answers B and C are correct to me. Here is why: Question asks about risk monitoring: this can be achieved through continuous audit mechanisms of vendor systems by technical measures. Therefore, answer C is correct. However, the question also asks about a timely response, indicating that answer B is correct as well. Conclusion: question is not fairly stated.

B makes more sense.

SLA = Timely response

A right-to-audit clause allows the organization to periodically review the cloud service provider's compliance with security and risk management practices. While this is important for oversight and ensuring adherence to standards, it does not directly ensure continuous risk monitoring and timely response. It is more of a periodic check rather than a continuous process.

B. Appropriate service level agreements (SLAs) are in place. SLAs are crucial because they define the expected level of service, including aspects such as uptime, performance, and response times for incidents. Effective SLAs should include specific terms for risk monitoring and timely response to incidents. This ensures that the cloud service provider is contractually obligated to monitor risks and respond within agreed-upon timeframes, directly addressing the organization's concern

C , you should always conduct an audit as long as you want to secure something .

The question addressed two things: monitoring and Time, SLA will only address time but Right to Audit Clause will address both

C. a right-to-audit clause is included in contracts.

For those that go with SLA. How do you know that SLAs are in place, are met etc if you don't perform an audit on the cloud provider? Or do you trust the reports from the cloud provider?

I'm leaning towards C. Because we're concerned with timely response AND risk monitoring. SLA would address only the former, while the audit would address the latter (and SLA's to an extent). Then again, maybe I'm overthinking it. But maybe the majority is also falling for the trap the question author has made by putting SLA on position B making it "an obvious answer"...

Including a right-to-audit clause in contracts with external cloud service providers allows the organization to conduct audits and assessments to verify compliance with security and risk management requirements. This clause provides the organization with the ability to monitor the provider's security controls, assess the effectiveness of risk management processes, and ensure that the cloud services meet the organization's security standards. While options like the availability of continuous technical support (option A), appropriate service level agreements (SLAs) (option B), and having internal security standards in place (option D) are important considerations, the right-to-audit clause specifically empowers the organization to directly assess and monitor the security practices of the external cloud service provider.

I will go with C - SLA will take on timely response but to do risk monitoring you will need right to audit (including visibility to SLA). C allows u to answer both

Can't be C. "SLA" includes: right to audit (for risk monitoring) + req for outputs (the timely response). "Right to audit" doesn't include the "timely response'.

whoever is answering can please explain right to audit how it is possible ? do you think amazon or google allow any other IT company who are using their service to come to their premises and will allow an audit ??

Right to audit clause