🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 4.5 - Contracting & Procurement

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series shows how to build security into choosing and managing vendors, part of Domain 1. It explains why vendor security deserves its own review, when those reviews belong in the relationship, and how to scale the scrutiny to match what is actually at stake.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Why does vendor security deserve its own review?

Because outsourcing the work does not outsource the risk. As organizations lean on cloud services and outside vendors to store, process, and move sensitive information, those vendors inherit access to your data. If you never inspect how they protect it, you are simply trusting on faith, so security professionals fold formal reviews into the contracting and procurement process itself.

When in the relationship should you review a vendor?

At two points, not just one. The first is during initial selection, when you evaluate a vendor’s controls before you sign anything. The second is ongoing, through regular vendor governance reviews across the life of the relationship, because a vendor that was solid at signing can drift over time, changing its systems, its staff, or its own subcontractors.

What questions reveal how a vendor protects your data?

A focused set that probes their controls directly. What kinds of sensitive information will they store, process, or transmit? What controls guard that information, and how is your data kept separate from other clients’ data? If encryption is the safeguard, which algorithms and key lengths do they use, and how do they manage the keys? And what security audits do they run, and will they let you see the results?

What deeper risks hide behind a vendor?

The ones that reach past the vendor itself. Does your vendor rely on other third parties, and do your contract’s security terms extend to those subcontractors too? Where will your data actually live, and if it crosses into another country, what legal implications follow? What is the vendor’s incident response process, how quickly will they tell you about a suspected breach, and what protects the ongoing integrity and availability of your data in their hands?

How do you right-size the review?

By matching its depth to the actual stakes. There is no single checklist that fits every vendor — you tailor the scope to your organization’s specific concerns, the kind of service the vendor provides, and the sensitivity of the information you will share. A vendor handling public marketing copy warrants a lighter touch than one holding regulated customer records.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 4.5 - Contracting & Procurement.