CISM Certified Information Security Manager – Question0726

An organization recently rolled out a new procurement program that does not include any security requirements. Which of the following should the information security manager do FIRST?

A.
Conduct security assessments of vendors based on value of annual spend with each vendor.
B. Meet with the head of procurement to discuss aligning security with the organization's operational objectives.
C. Ask internal audit to conduct an assessment of the current state of third-party security controls.
D. Escalate the procurement program gaps to the compliance department in case of noncompliance issues.

Correct Answer: B