Exam CISM topic 1 question 87 discussion

I still like B. It’s a close one but ISACA love right to audit clauses and D checks against industry standards and not your organisation’s standards. B

The answer is B unless the third party satisfies the security requirements of the client organization, the business infosec requirements might not be fully satisfied by the industry standards only.

B, because the question asks about the compliance of the ORGANIZATIONS security requirements. You can only check compliance by auditing the third party yourself, as industry best practices / frameworks (answer D) may contain different security requirements in comparison to the requirements from the security managers organization.

an independent review report is itself an audit

D: An independent review report, such as a SOC 2 Type II report, ISO 27001 certification, or similar, is conducted by external auditors and provides an objective assessment of the service provider’s compliance with established industry standards. These reports are typically comprehensive, include testing of controls over a period of time, and provide a higher level of assurance due to their independence and adherence to strict auditing standards.

This is a tough one - going with D as correct answer. Ability to audit does not mean that an audit has actually taken place to confirm that supplier standards meet the needs of the company. Therefore no actual output to measure against company standards. An independent audit against industry standard shows an outcome that can be measured against the company standards - however there is no guarantee the industry standard meets the company requirements.

B. The ability to audit the third-party supplier's IT systems and processes Having the ability to conduct audits on the third-party supplier's IT systems and processes allows the information security manager to directly assess and verify compliance with the organization’s specific information security requirements. This direct approach enables the organization to pinpoint areas of concern, ask specific questions, and receive immediate clarification or evidence of compliance that aligns with their unique requirements, rather than relying solely on general industry standards. This option ensures a more nuanced and tailored evaluation of the supplier's adherence to the specific security policies, controls, and standards expected by the hiring organization.

I choose D. industry compliance certificate like SOC2 will indicate the vendor offers a reliable service. We all know, the organization will not have time to audit vendor IT infrastructure by themself, and the vendor will not allow them to as well.

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.

D would have been best if it focused on the org's policy and not industry standard. B is better answer for the question.

organizations have a hard time auditing themselves and dealing with their own audits, let alone be able to audit a vendor, plus a vendor won't let you.

An independent review report, especially one indicating compliance with recognized industry standards, provides a level of assurance about the service provider's adherence to established security practices. Independent assessments, audits, or certifications conducted by reputable third-party organizations can verify the effectiveness of a service provider's security controls and processes. While a live demonstration (Option A) may provide some insight, it may not cover all aspects of security, and it may not be as thorough as an independent review. The ability to audit the third-party supplier's IT systems and processes (Option B) is a strong option, but it may not always be feasible due to legal or contractual constraints. Third-party security control self-assessment results (Option C) may lack the objectivity and independence provided by external assessments. Therefore, an independent review aligned with industry standards is often considered a robust assurance mechanism.

Are the correct answers displayed really correct or do they wait for the community to define the answer? the "right" to audit has NO assurance that a service provider complies with the organization's IS Program. No proof has been established until evidence (like a third-party report) or the audit has been performed, or a security review has been performed.

not D because check the requirements you set, not the standards. B because the "right to audit"

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.

Going with B. Right to audit clauses are normally included in contracts with service providers, unless directly auditing them is specifically prohibited, then you may require third-party reports. Independent review of compliance with industry standards may not be sufficient as the service receiver has their OWN security requirements that may be different to that of the industry.

B and D are valid options, however B would require effort to carry out the audit yourselves. Better and more efficient option is reviewing an audit carried out independently.