Exam CISM topic 1 question 344 discussion

Agreed> For Third-party risk mgt programs, it is important for Information security to conduct risk assessment and document all findings for all short-listed vendors which in turns help procuremnent/businness to make an informed decision for proper selcetion.

This is actually a tough one. B, C and D are all correct in a way. One of the definitions of due diligence in M&A is the following: "Due diligence allows the buyer in the M&A process to confirm hitherto undisclosed details about the selling company's financials, contracts, personnel and customers. In other words, it allows the buyer to obtain a complete picture of the business being acquired." So infosec manager should look into their security policies and processes (B), see how much they differ (D) and assess the risks based on that (C). So if I'd have to pick the most comprehensive answer, I'd say C. But I'm not 100% on this.

C. Perform a risk assessment Performing a risk assessment is crucial because it helps identify potential vulnerabilities and threats associated with the acquisition target. This assessment allows the acquiring organization to understand the security risks and make informed decisions about the acquisition. While reviewing security awareness, information security policies, and performing gap analysis are all important aspects of the due diligence process, assessing the specific risks associated with the acquisition target takes precedence because it forms the foundation for addressing security concerns and making risk-based decisions.

Risk Assessment is more appropriate

Due diligence phase is a comprehensive assessment of records of the target company prior to closing a merger or acquisition (M&A) deal

C. perform a risk assessment

in phase of acquisition, gap between A and B is needed.