I still like B. It’s a close one but ISACA love right to audit clauses and D checks against industry standards and not your organisation’s standards. B

D would have been best if it focused on the org's policy and not industry standard. B is better answer for the question.

This is a tough one - going with D as correct answer. Ability to audit does not mean that an audit has actually taken place to confirm that supplier standards meet the needs of the company. Therefore no actual output to measure against company standards. An independent audit against industry standard shows an outcome that can be measured against the company standards - however there is no guarantee the industry standard meets the company requirements.

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.

not D because check the requirements you set, not the standards. B because the "right to audit"

D: An independent review report, such as a SOC 2 Type II report, ISO 27001 certification, or similar, is conducted by external auditors and provides an objective assessment of the service provider’s compliance with established industry standards. These reports are typically comprehensive, include testing of controls over a period of time, and provide a higher level of assurance due to their independence and adherence to strict auditing standards.

B. The ability to audit the third-party supplier's IT systems and processes Having the ability to conduct audits on the third-party supplier's IT systems and processes allows the information security manager to directly assess and verify compliance with the organization’s specific information security requirements. This direct approach enables the organization to pinpoint areas of concern, ask specific questions, and receive immediate clarification or evidence of compliance that aligns with their unique requirements, rather than relying solely on general industry standards. This option ensures a more nuanced and tailored evaluation of the supplier's adherence to the specific security policies, controls, and standards expected by the hiring organization.

I choose D. industry compliance certificate like SOC2 will indicate the vendor offers a reliable service. We all know, the organization will not have time to audit vendor IT infrastructure by themself, and the vendor will not allow them to as well.

organizations have a hard time auditing themselves and dealing with their own audits, let alone be able to audit a vendor, plus a vendor won't let you.

An independent review report, especially one indicating compliance with recognized industry standards, provides a level of assurance about the service provider's adherence to established security practices. Independent assessments, audits, or certifications conducted by reputable third-party organizations can verify the effectiveness of a service provider's security controls and processes. While a live demonstration (Option A) may provide some insight, it may not cover all aspects of security, and it may not be as thorough as an independent review. The ability to audit the third-party supplier's IT systems and processes (Option B) is a strong option, but it may not always be feasible due to legal or contractual constraints. Third-party security control self-assessment results (Option C) may lack the objectivity and independence provided by external assessments. Therefore, an independent review aligned with industry standards is often considered a robust assurance mechanism.

Are the correct answers displayed really correct or do they wait for the community to define the answer? the "right" to audit has NO assurance that a service provider complies with the organization's IS Program. No proof has been established until evidence (like a third-party report) or the audit has been performed, or a security review has been performed.

D. An independent review report indicating compliance with industry standards An independent review report indicating compliance with industry standards is often a reliable source of assurance because it means that the service provider's practices have been evaluated by an independent third party against recognized industry standards or frameworks. These independent reviews are typically conducted by reputable audit or certification bodies.

Going with B. Right to audit clauses are normally included in contracts with service providers, unless directly auditing them is specifically prohibited, then you may require third-party reports. Independent review of compliance with industry standards may not be sufficient as the service receiver has their OWN security requirements that may be different to that of the industry.

B and D are valid options, however B would require effort to carry out the audit yourselves. Better and more efficient option is reviewing an audit carried out independently.

D. An independent review report indicating compliance with industry standards

I have to agree with previous comment. What if the organization standards are stronger than industry standard? The only way to know is if they add into the SLA that the ISM is allowed to do a security audit for assurance.

The ability to audit the third-party supplier's IT systems and processes is the BEST way to provide an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements.