CISM Certified Information Security Manager – Question0706

When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?

A.
Include information security clauses in the vendor contract.
B. Review third-party reports of potential vendors.
C. Include information security criteria as part of vendor selection.
D. Develop metrics for vendor performance.

Correct Answer: C