Risk transfer

Part of the XXXX company's network of operations is managed by an external company, called XXXX, located within the XXXX company's facilities: personnel, systems, and information.

All the assets of this network are critical assets and all with a very high risk of threats. Some of these assets have measures applied, some are insufficient and should improve. I have identified the owner of the asset the company XXXX, owner of the risk, the external company XXXX.

As we commented, we would have two options:

• From the XXXX company, treat the risks and implement the controls
• From the XXXX company, transfer the risk to the XXXX company which is the one who must implement the controls but following the criteria of the XXXX company.

I'm lost!!!

I need you to advise me on the most effective way to do it. If we transfer the risk to the company XXXX, we lose control of the controls and it will not be defined what are the controls to be applied… .. and we should not.

Can you please help me at this point?

When you transfer risk treatment to a third-party the best way to do that is by means of contract or service agreement, so you can enforce, through security clauses, the third-party to keep the same or higher level of security you would implement by your own, as well as to present evidence you need to not lose sight of the controls you want implemented.

These articles will provide you a further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/