In the "CISM Review Manual 15th Edition" by ISACA, it is stated in Domain 4: Incident Management and Response, that continuous monitoring is a critical part of the overall incident management process, and it extends to monitoring third-party providers to ensure they meet the organization's security requirements.
Continuous monitoring provides the BEST assurance that a third-party provider is actively meeting security requirements on an ongoing basis, not just at a point in time.
It allows for:
• Real-time visibility into compliance and risk posture
• Proactive detection of control failures or vulnerabilities
• Ensuring service-level and security-level agreements are being upheld
• Early response to changes in the third party’s environment
ConMon involves regularly checking a vendor's security posture, including their compliance with regulations, security controls in place, and any changes made to their systems.
In the "CISM Review Manual 15th Edition" by ISACA, it is stated in Domain 4: Incident Management and Response, that continuous monitoring is a critical part of the overall incident management process, and it extends to monitoring third-party providers to ensure they meet the organization's security requirements.
Right-to-audit clause can include continuous monitoring. Audit =/= periodic (people get stuck with this). It's like you enable auditing of specific action or a file system in the OS. It's not periodic, it's constant (and you can call it continuous monitoring).
I understand that audit and assurance go hand in hand. However, if we have to pick between audit and continuous monitoring, I'd pick monitoring. Audit will provide the snapshot of the state of security at a specific time, which can change post audit. Continuous monitoring will be required for ongoing assurance.
Answer: A
A for sure, it's the only method to assure while audit can not since vendor can alter controls after the audit is closed. Besides, continuous monitoring generally performs after an audit or security assessment, why it is called "continuous monitoring" but not just "monitoring"
Continuous monitoring helps in ongoing oversight, but it may not cover all aspects of security requirements. Due diligence questionnaires provide initial information, but they may not be sufficient to validate the provider's security practices comprehensively. Performance metrics can indicate the provider's performance but may not directly address security requirements.
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
DelTrotter
Highly Voted 2 years, 7 months ago[Removed]
Highly Voted 2 years ago6bbed06
Most Recent 1 week, 6 days agoAdabach
4 months, 1 week agohohan
6 months, 2 weeks agoRagazzoAlex
1 year agooluchecpoint
1 year, 6 months agoAlexJacobson
1 year, 6 months agoJosef4CISM
8 months, 4 weeks agoUncle_Lucifer
1 year, 7 months agoLearner76
1 year, 8 months agoUncle_Lucifer
1 year, 7 months agoCISSPST
1 year, 10 months agooluchecpoint
1 year, 11 months agokaranvp
2 years, 1 month agorichck102
2 years, 2 months agoDASH_v
2 years, 2 months agosedardna
2 years, 2 months agomad68
2 years, 2 months ago