Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY enabled by:

A. service level agreements (SLAs)

B. acceptance of the organization's security policies

C. contractual agreements

D. audit guidelines

Correct Answer: A???? or C????????

______________________

Note

The official answer (could be incorrect because NO comes from ISACA!) is: "A. service level agreements (SLAs)".

Other experts claim that the correct answer is: "C. contractual agreements".

Beware some authoritative sources say option A, other authoritative sources say C. Please answer if you are really sure.

Your expert opinion (and explanation) is strongly requested. Many thanks in advance.