A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?
Governance requires clear accountability even when services are outsourced.
Why this answer
Option D is correct because governance requires that the organization retains ultimate responsibility for security outcomes, even when functions are outsourced. Without the ability to maintain oversight and accountability, the company cannot ensure that its security posture aligns with business risk tolerance and regulatory compliance requirements. This is a fundamental principle of information security governance, as the board and senior management cannot delegate accountability.
Exam trap
The trap here is that candidates often mistake operational metrics (like SLAs or certifications) for governance considerations, but CISM emphasizes that governance is about ensuring the organization retains ultimate accountability and oversight, not just delegating tasks to a vendor.
How to eliminate wrong answers
Option A is wrong because while SLAs for incident response times are important operational metrics, they are not the most critical governance consideration; governance focuses on strategic oversight and accountability, not just contractual performance targets. Option B is wrong because technical expertise and certifications, while valuable for vendor selection, are operational or tactical concerns that do not address the governance requirement for the organization to retain control over security outcomes. Option C is wrong because cost savings, though a common business driver, are a financial consideration that must be balanced against risk; prioritizing cost over governance can lead to loss of control and increased residual risk, which is a governance failure.