CISM Certified Information Security Manager – Question0318 - CISM Certified Information Security Manager

An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur?

A. Nothing, since a risk assessment was completed during development.
B. A vulnerability assessment should be conducted.
C. A new risk assessment should be performed.
D. The new vendor's SAS 70 type II report should be reviewed.

Correct Answer: C

Explanation:

Explanation:
The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.