nerdexam
(ISC)2

CISSP · Question #1333

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security ser

The correct answer is D. The right to audit the MSSP's security process. ISO 27001 requires that when outsourcing to third parties, organizations retain the right to audit the supplier's security processes to ensure compliance with the agreed security controls and standards.

Submitted by chen.hong· Mar 5, 2026Security and Risk Management

Question

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP), The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?

Options

  • AA detailed overview of all equipment involved in the outsourcing contract
  • BThe MSSP having an executive manager responsible for information security
  • CThe right to perform security compliance tests on the MSSP's equipment
  • DThe right to audit the MSSP's security process

How the community answered

(62 responses)
  • A
    8% (5)
  • B
    5% (3)
  • C
    19% (12)
  • D
    68% (42)

Why each option

ISO 27001 requires that when outsourcing to third parties, organizations retain the right to audit the supplier's security processes to ensure compliance with the agreed security controls and standards.

AA detailed overview of all equipment involved in the outsourcing contract

A detailed equipment inventory may be useful operationally but is not a mandatory ISO 27001 contractual requirement for outsourcing agreements; the standard focuses on security controls and rights rather than asset enumeration.

BThe MSSP having an executive manager responsible for information security

While ISO 27001 requires organizational roles for information security internally, it does not mandate that an MSSP must designate a specific executive manager as a contractual obligation in outsourcing agreements.

CThe right to perform security compliance tests on the MSSP's equipment

The right to perform security compliance tests on the MSSP's equipment is more specific and technical than the broader audit right required by ISO 27001; compliance testing rights may be negotiated but are not explicitly mandated by the standard as a contract requirement.

DThe right to audit the MSSP's security processCorrect

ISO 27001 Annex A control A.15 (Supplier Relationships) explicitly requires that organizations establish and maintain the right to audit third-party suppliers' security processes to verify that contractual security obligations are being met. Since the trading organization holds ISO 27001 certification, it must ensure its outsourcing contracts comply with this standard, making the right to audit a mandatory contractual requirement rather than an optional one.

Concept tested: ISO 27001 supplier relationship audit requirements

Source: https://www.iso.org/standard/27001

Topics

#Outsourcing security#MSSP#Contractual requirements#Right to audit#ISO 27001

Community Discussion

No community discussion yet for this question.

Full CISSP Practice