CISA Certified Information Systems Auditor – Question0638

Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?

A.
Compensating controls in place to protect information security
B. Corresponding breaches associated with each vendor
C. Criticality of the service to the organization
D. Compliance requirements associated with the regulation

Correct Answer: C