Domain 3: Information Security Program Module 22 of 47

Module 22: Management of External Services

CISM Domain 3 — Information Security Program Section B 11–13 min read

What the Exam Is Really Testing

Peel back the details and you will find one theme:

Risk accountability remains with the organization — even when services are outsourced.

Outsourcing services does NOT outsource risk.

Effective third-party governance requires:

  • Risk-based due diligence
  • Contractual safeguards
  • Ongoing monitoring
  • Defined ownership
  • Escalation processes

Fourth-party exposure (your vendor’s vendor) must also be considered.

The Executive Mindset Shift

The obvious move:

If the vendor is reputable, risk is reduced.

The better move:

Vendor reputation does not eliminate accountability.

Security leaders must:

  • Conduct risk assessment before onboarding
  • Align contract terms with risk appetite
  • Ensure right-to-audit clauses
  • Define service level expectations
  • Monitor ongoing performance
  • Track subcontractor (fourth-party) exposure

Third-party risk management is lifecycle governance.

The Third-Party Risk Lifecycle

1. Pre-Engagement Due Diligence

Before contract signing:

  • Risk assessment
  • Security questionnaire review
  • Compliance validation
  • Data handling evaluation
  • Business impact assessment

High-risk vendors require deeper scrutiny.

2. Contractual Safeguards

Contracts should define:

  • Security requirements
  • Incident notification timelines
  • Data protection obligations
  • Audit rights
  • Subcontractor approval requirements
  • Termination conditions

Contract language enforces governance expectations.

3. Ongoing Monitoring

Monitoring includes:

  • Performance reviews
  • Control validation
  • Compliance attestations
  • Risk reassessment
  • Incident response validation

Third-party risk is not one-time.

4. Fourth-Party Considerations

Vendors may rely on:

  • Cloud providers
  • Subcontractors
  • Managed service partners

Risk exposure extends beyond direct contracts.

Governance must address:

  • Visibility
  • Contractual flow-down requirements
  • Incident transparency

Governance Integration

Third-party oversight must:

  • Integrate with risk register
  • Reflect asset classification
  • Align with regulatory obligations
  • Include executive reporting for high-risk vendors
  • Assign internal vendor ownership

If no internal owner exists, accountability fails.

Pattern Recognition

When third-party risk appears, ask:

  1. Was due diligence conducted?
  2. Are contractual controls defined?
  3. Is monitoring ongoing?
  4. Are fourth parties considered?
  5. Is risk ownership defined internally?

Correct answers often involve:

  • Risk-based vendor tiering
  • Contractual enforcement clauses
  • Ongoing reassessment
  • Defined vendor ownership
  • Escalation for high-risk vendors

Not:

  • Trusting vendor certifications blindly
  • One-time assessment only
  • Ignoring subcontractor risk
  • Assuming insurance eliminates exposure

Trap Pattern

Common wrong instincts:

  • “Vendor certification equals security.”
  • “Outsourcing transfers accountability.”
  • “Annual review is sufficient.”
  • “Fourth parties are vendor’s problem.”

CISM emphasizes retained accountability and lifecycle oversight.

Scenario Practice

Question 1

A cloud vendor experiences a data breach affecting your organization’s customer data.

Who retains ultimate accountability for regulatory compliance?

  1. The cloud provider
  2. The external auditor
  3. The regulator
  4. Your organization
Answer & Explanation

Correct Answer: D

Outsourcing services does not transfer regulatory accountability.

Question 2

A critical vendor contract lacks incident notification timelines.

What is the PRIMARY governance weakness?

  1. Inadequate contractual safeguards
  2. Encryption gap
  3. Monitoring deficiency
  4. Vendor inefficiency
Answer & Explanation

Correct Answer: A

Contracts must define security expectations and response requirements.

Question 3

A vendor uses multiple subcontractors to process sensitive data.

What should be evaluated FIRST?

  1. Replace the vendor
  2. Increase internal encryption
  3. Assess fourth-party exposure and contractual flow-down protections
  4. Eliminate outsourcing entirely
Answer & Explanation

Correct Answer: C

Fourth-party risk must be assessed and contractually governed.

Question 4

A vendor passed due diligence at onboarding but has not been reviewed in three years.

What is the PRIMARY concern?

  1. Reduced automation
  2. Lack of ongoing risk monitoring
  3. Encryption deficiency
  4. Vendor reputation
Answer & Explanation

Correct Answer: B

Third-party risk requires continuous monitoring.

Question 5

A business unit selects a vendor without involving security.

What is the MOST appropriate FIRST action?

  1. Terminate the vendor immediately
  2. Ignore the engagement
  3. Notify regulators
  4. Conduct structured third-party risk assessment
Answer & Explanation

Correct Answer: D

Risk evaluation must occur before full integration.

Key Takeaway

In CISM:

You can outsource services. You cannot outsource accountability.

Effective external service governance requires:

  • Risk-based onboarding
  • Contractual safeguards
  • Continuous monitoring
  • Fourth-party visibility
  • Clear internal ownership

That is what governance looks like when services cross organizational boundaries.

Related Modules

CISM Domain 3 — Information Security Program Information Security Awareness and Training CRISC Domain 3 — Risk Response and Reporting Third-Party Risk Management
Next Module Module 23: Information Security Program Communications and Reporting