ISC2 CISSP Practice Question

A Master Service Agreement (MSA) with security addendum is the most effective document for establishing security expectations with a vendor because it creates a legally binding contract that specifies the security controls, compliance requirements, and data protection measures the vendor must implement. The security addendum typically includes specific technical requirements, incident response procedures, right-to-audit clauses, and data handling practices. This comprehensive approach establishes clear accountability and provides legal recourse if security requirements are not met.

While a Non-Disclosure Agreement (NDA) is important for protecting confidential information shared during the relationship, it's primarily focused on preventing information disclosure rather than comprehensive security controls. An informal email outlining security expectations lacks legal enforceability and formality. A verbal agreement during contract negotiations, while potentially discussing security matters, offers no documentation or enforceability of the security requirements.