CISSP · Question #1333
An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security ser
The correct answer is D. The right to audit the MSSP's security process. ISO 27001 requires that when outsourcing to third parties, organizations retain the right to audit the supplier's security processes to ensure compliance with the agreed security controls and standards.
Question
An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP), The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?
Options
- AA detailed overview of all equipment involved in the outsourcing contract
- BThe MSSP having an executive manager responsible for information security
- CThe right to perform security compliance tests on the MSSP's equipment
- DThe right to audit the MSSP's security process
How the community answered
(62 responses)- A8% (5)
- B5% (3)
- C19% (12)
- D68% (42)
Why each option
ISO 27001 requires that when outsourcing to third parties, organizations retain the right to audit the supplier's security processes to ensure compliance with the agreed security controls and standards.
A detailed equipment inventory may be useful operationally but is not a mandatory ISO 27001 contractual requirement for outsourcing agreements; the standard focuses on security controls and rights rather than asset enumeration.
While ISO 27001 requires organizational roles for information security internally, it does not mandate that an MSSP must designate a specific executive manager as a contractual obligation in outsourcing agreements.
The right to perform security compliance tests on the MSSP's equipment is more specific and technical than the broader audit right required by ISO 27001; compliance testing rights may be negotiated but are not explicitly mandated by the standard as a contract requirement.
ISO 27001 Annex A control A.15 (Supplier Relationships) explicitly requires that organizations establish and maintain the right to audit third-party suppliers' security processes to verify that contractual security obligations are being met. Since the trading organization holds ISO 27001 certification, it must ensure its outsourcing contracts comply with this standard, making the right to audit a mandatory contractual requirement rather than an optional one.
Concept tested: ISO 27001 supplier relationship audit requirements
Source: https://www.iso.org/standard/27001
Topics
Community Discussion
No community discussion yet for this question.