Automatic forwarding of email to external addresses is denied-by-default.
Specification
Information does not automatically leave the organisation.
If the individual has a legitimate organisational need to be reached after the end of the formal relationship with the organisation, the individual can request an out-of-office to be set including new contact details.
Other domains belonging to the organisation are not considered external.
Forwarding to external domains can only occur under control of the organisation, taking appropriate organisational, contractual and technical measures to safeguard that information remains under control of the organisation.
ISO 27001 & 27002:2022
A5.10,
A5.14,
A5.33,
A5.34,
A7.7,
A7.10,
A8.26,
A8.33
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
DM.03 Beveiligingseisen voor Datamanagement