Exam CISM topic 1 question 358 discussion

The Correct answer is (B) Vendor compliance with the organization's information security policies. Without the vendor adhering to the organization's security policies the org's critical information is surely going to be at risk. Rationale (A) Just because the vendor is complying with the most stringent data security regulations doesn't mean that it is meeting the org's security policy as the org could have some obtuse or org-specific policy that isn't covered by the regulation. (C.)SLA don't may or may not be security related. (B) is a better answer in this case. (D) Vendor compliance with recognized industry security standards doesn't mean that it will be compliant with the ORG's security policy and posture. So as you can see the only one that truly aligns with the org's security stance is (B) Vendor compliance with the organization's information security policies.

best answer would be compliance to PDPA or similar regulations, but if hypothetically the org have implemented controls/practices based on industry standard, B would be a great answer

The vendor complies with the organization's information security policies (option B) is important, those policies may vary from one organization to another and may not cover all security aspects that industry standards encompass. Therefore, industry security standards are often considered a more critical benchmark when outsourcing critical functions like payroll processing.

Question says 'from a security perspective' therefore answer is B. The Security Manager will not be concerned about the legal or performance stuff contained in the SLA

B could be included in C among other points

B. Vendor compliance with the organization's information security policies

A vendor will no comply with all my Info sec regulations. that's why we create an SLA, (which are the happy medium) and from there we go!

Why not C? The SLA should contain the information security policies