Comprehensive and Detailed Step-by-Step Explanation:
To ensure that aservice vendor maintains required control levels, direct verification throughonsite assessmentsis the most effective approach.
* Option A (Correct):Onsite assessmentsallow auditors todirectly reviewcontrols, procedures, and evidence of compliancein real time, ensuring that service levels are being met.
* Option B (Incorrect):Unannounced vulnerability assessments may violatecontractual agreementsand ethical considerations.
* Option C (Incorrect):Reviewing theSLAensures agreement terms are clear but doesnot verify actual compliance.
* Option D (Incorrect):AControl Self-Assessment (CSA)is useful but relies onvendor-provided information, which may be biased or incomplete.
Reference:ISACA CISA Review Manual -Domain 4: Information Systems Operations and Business Resilience- Covers third-party risk management and audit approaches.