Certified Information Systems Security Professional (CISSP) — Question 362

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?

Answer options

• A. A detailed overview of all equipment involved in the outsourcing contract
• B. The right to perform security compliance tests on the MSSP's equipment
• C. The MSSP having an executive manager responsible for information security
• D. The right to audit the MSSP's security process

Correct answer: D

Explanation

The correct answer is D because having the right to audit the MSSP's security process ensures that the trading organization can verify compliance with security standards and practices. While the other options provide useful information or requirements, they do not guarantee the organization the oversight necessary for maintaining its security posture.