Exam CISM topic 1 question 87 discussion

I still like B. It’s a close one but ISACA love right to audit clauses and D checks against industry standards and not your organisation’s standards. B

B, because the question asks about the compliance of the ORGANIZATIONS security requirements. You can only check compliance by auditing the third party yourself, as industry best practices / frameworks (answer D) may contain different security requirements in comparison to the requirements from the security managers organization.

The BEST option for assurance is B. The ability to audit the third-party supplier's IT systems and processes. Direct audit rights provide the highest level of assurance. It allows the organization to independently verify the service provider's security controls and their effectiveness. This is far more reliable than relying on self-assessments or even third-party reports, as it gives the organization direct evidence.

The right to audit will provide this assurance

The answer is B unless the third party satisfies the security requirements of the client organization, the business infosec requirements might not be fully satisfied by the industry standards only.

an independent review report is itself an audit

D: An independent review report, such as a SOC 2 Type II report, ISO 27001 certification, or similar, is conducted by external auditors and provides an objective assessment of the service provider’s compliance with established industry standards. These reports are typically comprehensive, include testing of controls over a period of time, and provide a higher level of assurance due to their independence and adherence to strict auditing standards.

This is a tough one - going with D as correct answer. Ability to audit does not mean that an audit has actually taken place to confirm that supplier standards meet the needs of the company. Therefore no actual output to measure against company standards. An independent audit against industry standard shows an outcome that can be measured against the company standards - however there is no guarantee the industry standard meets the company requirements.

B. The ability to audit the third-party supplier's IT systems and processes Having the ability to conduct audits on the third-party supplier's IT systems and processes allows the information security manager to directly assess and verify compliance with the organization’s specific information security requirements. This direct approach enables the organization to pinpoint areas of concern, ask specific questions, and receive immediate clarification or evidence of compliance that aligns with their unique requirements, rather than relying solely on general industry standards. This option ensures a more nuanced and tailored evaluation of the supplier's adherence to the specific security policies, controls, and standards expected by the hiring organization.

I choose D. industry compliance certificate like SOC2 will indicate the vendor offers a reliable service. We all know, the organization will not have time to audit vendor IT infrastructure by themself, and the vendor will not allow them to as well.

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.

D would have been best if it focused on the org's policy and not industry standard. B is better answer for the question.

organizations have a hard time auditing themselves and dealing with their own audits, let alone be able to audit a vendor, plus a vendor won't let you.

An independent review report, especially one indicating compliance with recognized industry standards, provides a level of assurance about the service provider's adherence to established security practices. Independent assessments, audits, or certifications conducted by reputable third-party organizations can verify the effectiveness of a service provider's security controls and processes. While a live demonstration (Option A) may provide some insight, it may not cover all aspects of security, and it may not be as thorough as an independent review. The ability to audit the third-party supplier's IT systems and processes (Option B) is a strong option, but it may not always be feasible due to legal or contractual constraints. Third-party security control self-assessment results (Option C) may lack the objectivity and independence provided by external assessments. Therefore, an independent review aligned with industry standards is often considered a robust assurance mechanism.

Are the correct answers displayed really correct or do they wait for the community to define the answer? the "right" to audit has NO assurance that a service provider complies with the organization's IS Program. No proof has been established until evidence (like a third-party report) or the audit has been performed, or a security review has been performed.

not D because check the requirements you set, not the standards. B because the "right to audit"

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.