Exam CISM topic 1 question 808 discussion

D can be also an option. Right to audit as a part of the SLA Security Clause. Justification: Reviewing the information security policy is the lowest level of assurance and is realized by performing self-assessments of provided documentation. The second level of assurance is realized by third-party statements. For Business Critical Security Controls the third level of assurance is realized by continuous auditing executed based on the SLA Security Clause.

I like D too. I think the most important word in the question is "confirm". How do you confirm, ensure you have a right to audit their program, which allows you to confirm.

D - Include the right to audit in the SLA allows the organization to periodically review and verify the third-party provider’s compliance with the agreed-upon security requirements. This provides a more dynamic and enforceable approach to ensuring ongoing compliance. Option C does not guarantee that the provider will continue to comply with the organization’s security requirements over time.

To confirm = audit

"confirm" the "requirement", review should be fine. Should we put the "right to audit" in contract but no in SLA?

to be able to confirm review is not enough u have to audit

D. right to audit is included in the service level agreement (SLA).

Option D allows you to "confirm" compliance.

Out of the options provided, the MOST important thing to ensure when confirming that a third-party provider complies with an organization's information security requirements would be option D, "Right to audit is included in the service level agreement (SLA)."

A makes sense

Confirming that a third-party provider complies with an organization's information security requirements is crucial to ensure the protection of sensitive data and systems. The most important step in this process is to review the information security policy of the third-party service provider. This review helps to determine the provider's security posture and identify any potential security risks associated with their services. It ensures that the provider's policies, procedures, and controls align with the organization's own information security requirements and that the provider is committed to protecting sensitive data and systems. By reviewing the information security policy of the third-party provider, organizations can make informed decisions about their security arrangements and ensure that they are able to manage and mitigate risks effectively. This is why reviewing the information security policy of the third-party provider is the most important step in confirming their compliance with an organization's information security requirements.