CISM Certified Information Security Manager – Question1269

When reviewing the security controls of an application service provider, an information security manager discovers the provider's change management controls are insufficient. Changes to the provided application often occur spontaneously with no notification to clients. Which of the following would BEST facilitate a decision to continue or discontinue services with this provider?

A.
Comparing the client organization's risk appetite to the disaster recovery plan of the service provider.
B. Comparing the client organization's risk appetite to the criticality of the supplied application.
C. Comparing the client organization's risk appetite to the frequency of application downtimes.
D. Comparing the client organization's risk appetite to the vendor's change control policy.

Correct Answer: D