Q: 7
What action should an organization take to ensure the security of information when it is transferred
or treated by an external party?
Options
Discussion
Option B
Option B covers your bases for compliance and due diligence. You can’t just trust the third party on their word, needs to be in the contract so responsibilities are clear. Pretty sure that’s what ISO expects here.
Not A, it's got to be B here. ISO 27001 makes it clear you need contractual security clauses, not just trust the external party's controls. Option A is a classic trap. Open to other views but pretty sure on this one.
Hard to say, A in a situation where the external party is already certified to ISO 27001 and contractually obligated elsewhere. In that edge case, just relying on their measures might technically work. Not totally sure but that's how I've seen it argued.
The trick here is that if the external party already has their own strong security controls, option A almost sounds okay. But ISO 27001 still expects explicit contract clauses (B), not just relying on external policies. Pretty sure B is safest unless the question specified minimum expectations.
Similar practice questions and the official ISO 27001 guide both say contracts with security clauses are needed, so I'd trust B here.
B's the safer pick since ISO 27001 really wants those security obligations spelled out in contracts. Just trusting an external party or excluding them from scope isn’t enough for compliance. Pretty sure B is what most auditors expect here.
B makes sense since ISO 27001 is big on putting security clauses right into contracts. If you just rely on what the external party has (like in A), you're basically hoping their standards match yours, which isn't always the case. C doesn't really address the actual transfer risk. Pretty sure it's B, but open to other takes if someone thinks otherwise.
Practice tests and official ISO 27001 guide really help with this-B
I think B is the move here. ISO 27001 wants those security requirements written into contracts so you aren't just trusting external parties to have decent controls. Even if they're certified, without something contractual, stuff can get missed. Anyone see a situation where A works?
Be respectful. No spam.
