The most effective approach for properly scoping a security assessment of an existing vendor is to review the controls specified in the contract. The contract and its associated Service Level Agreements (SLAs) form the legally binding agreement that defines the specific security obligations, data handling requirements, and performance expectations for the services rendered. This document provides the authoritative baseline for the assessment's scope, ensuring that the review is focused on verifying the vendor's compliance with the agreed-upon terms and managing the specific risks pertinent to the business relationship.

A. Focusing on high-risk infrastructure is a prioritization tactic within an assessment, not the primary method for defining the overall scope.

C. Determining adherence to a framework is an activity or objective of the assessment itself, which is defined after the scope is established.

D. A vendor's general security policy is less specific than the contract, which contains the precise, legally binding requirements for the services being provided.

1. ISACA

CISM Review Manual

15th Edition. Domain 2: Information Risk Management

Section 2.8

"Third-Party Risk Management." The manual emphasizes that contracts and SLAs are critical for defining security requirements for third parties. It states

"The contract should include...security requirements...[and] the right to audit and monitor." Assessments are scoped to validate these contractual clauses.

2. ISO/IEC 27001:2022

Information security

cybersecurity and privacy protection — Information security management systems — Requirements. Annex A

Control A.5.20

"Information security in supplier relationships." This control specifies that "information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented

" making the agreement the basis for any compliance review.

3. NIST Special Publication 800-37

Revision 2

Risk Management Framework for Information Systems and Organizations. Chapter 3

"Managing Risk

" Section 3.4

"Supply Chain Risk Management." This publication highlights the importance of establishing and including cybersecurity requirements in acquisition contracts. Subsequent monitoring and assessment activities are scoped to ensure these contractual requirements are met by the vendor.