Exam CISM topic 1 question 19 discussion

I would also say B and then C. First you develop criteria that you include in vendor selection, then you go about reading third-party reports and compare what's in the report against the criteria.

Including information security criteria as part of the vendor selection process ensures that security considerations are integrated into the initial evaluation. This step involves assessing the security posture of potential vendors against predefined criteria before proceeding with further evaluation or contractual agreements. It helps filter out vendors that do not meet the required information security standards from the outset. While the other options (developing metrics for vendor performance, reviewing third-party reports, and including information security clauses in the vendor contract) are important steps in the overall vendor management process, incorporating information security criteria early in the vendor selection process is critical for establishing a foundation of security in the relationship from the beginning.

agree B.

Once an organization has established its third-party risk classification and has begun to identify its third parties and their respective risk tiering, third parties can be assessed. Before assessments can be performed, however, the organization needs to develop a scheme. -AIO Book

choices A,B,D they are right steps. however they come after the easiest step which is C. no organization in reality will develop performance metrics before checking available public recent third-party audit reports. the sequence is important. C is first and other remaining will be after.

The first step is getting available info in public like third-party reviews. Before proceeding in other steps that may be still important. but as order, the first step is getting third-party vendor report like gartner report for example. right answer is C.

A is the best answer, option B is a component of A.

B. Include information security criteria as part of vendor selection.

The correct answer is C. Reviewing third-party reports of potential vendors is the first step to ensure the correct level of information security is provided. These reports may include results of security audits or assessments, which can provide valuable information on a vendor's security controls and risks. This information can be used to evaluate the vendor's security posture and make an informed decision about whether to engage with them. The other options are also important steps in the process, but they come after reviewing the reports of potential vendors.

In order to use B you must have A. A is first.

B, D maybe for a later phase

Agreed B as well

I would say B also.

I would agree with B. I have seen many RFPs that included client data protection needs. You want to be upfront with your needs and exclude vendors that don't meet your needs prior to going into a contract.

A because you are in the evaluation mode

should be D