CompTIA Security+ · SY0-701

Objective 5.3: Explain the processes associated with third-party risk assessment and management

Practice questions for Security+ objective 5.3, Explain the processes associated with third-party risk assessment and management.” Every question is original, written to the SY0-701 exam objectives, and comes with a full explanation — answer them below to see instant grading.

This objective sits in Domain 5.0: Security Program Management and Oversight, which is about 20% of the exam — so mastering it moves your readiness score meaningfully.

1.An organization's procurement team is onboarding a new vendor that will provide cloud-based legal document management services. The vendor will store attorney-client privileged communications, litigation strategies, and regulatory correspondence on behalf of the organization. During the vendor assessment, the security team discovers that the vendor's terms of service include a clause permitting the vendor to use customer data to train and improve its AI models and to share aggregated, de-identified data with research partners. The legal department has not reviewed the vendor contract. Which risk does this terms of service clause most precisely introduce, and which pre-contract activity would most directly have prevented this risk from reaching the contract execution stage?

2.Which agreement type establishes baseline performance metrics, uptime guarantees, and support response times between a customer and a service provider?

3.An organization's security team reviews a cloud service provider's penetration test results, conducted by an independent firm, as part of the vendor assessment process. Why is reviewing the vendor's penetration test results valuable?

4.During a supply chain analysis, an organization maps all tiers of its hardware components back to raw material suppliers. What is the PRIMARY reason for conducting this analysis?

5.An organization is onboarding a new SaaS vendor that will process and store sensitive employee HR data including compensation, performance reviews, and disciplinary records. The procurement team wants to complete onboarding within two weeks. The security team insists on completing due diligence before any data is transmitted to the vendor. Which combination of due diligence activities is most appropriate for this vendor relationship, and which document formally establishes the security and privacy obligations the vendor must meet?

Practice every objective, adaptively

CertBench tracks your score on 5.3 and every other objective, then builds a daily plan that targets your weakest spots. Start with the free diagnostic.

Take the free diagnostic

More objectives in Domain 5.0

← All Security+ practice questions