Q: 7
What action should an organization take to ensure the security of information when it is transferred
or treated by an external party?
Options
Discussion
Option B covers your bases for compliance and due diligence. You can’t just trust the third party on their word, needs to be in the contract so responsibilities are clear. Pretty sure that’s what ISO expects here.
B's the safer pick since ISO 27001 really wants those security obligations spelled out in contracts. Just trusting an external party or excluding them from scope isn’t enough for compliance. Pretty sure B is what most auditors expect here.
B tbh, most exam reports say contracts with security clauses is ISO 27001 best practice. Official guide covers this.
Maybe B. Excluding them (C) sounds safer at first, but ISO 27001 expects controls via contracts. Option A is the trap here if you read too quickly, since relying on others without agreement doesn't work for compliance.
C isn't right here, B makes more sense unless the external party is truly out of all relevant data flows. ISO 27001 expects some contractual binding for controls with third parties. I could see rare exceptions but B usually wins.
C vs B? I see the logic for B with contracts spelling out security, but I'm tempted by C too since excluding them from ISMS scope can reduce exposure. Not totally sure which ISO prefers though.
I don't think it's B, I'd go with A here since some external parties have their own certified controls and you might not need to micromanage them. Trap is thinking contracts solve everything.
Its B, pretty standard to include security clauses in contracts with third parties. That way both parties are clear on what controls are required. Not 100% but most practice stuff points to this.
Be respectful. No spam.
