Content library
Supplier security
Defining supplier types that can access confidential data

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Identifying critical IT partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
2
requirements

Examples of other requirements this task affects

THIRD-PARTIES-1: Identify and Prioritize Third Parties
C2M2
1.2.4: Definition of responsibilities with service providers
TISAX
See all related requirements and other information from tasks own page.
Go to >
Identifying critical IT partners
1. Task description

The organization must identify critical IT partners. A critical partner (internal or external) refers to a partner without whom the operation is interrupted.

Organizing supplier management meetings to discuss digital security
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
2
requirements

Examples of other requirements this task affects

75: Digiturvallisuusyhteistyö kriittisten toimittajien ja alihankkjoiden kanssa
Digiturvan kokonaiskuvapalvelu
4.1.4: Establish agreements with relevant third parties
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Organizing supplier management meetings to discuss digital security
1. Task description

The organization regularly discusses information security with critical suppliers and other partners in supplier management meetings.

Tietoliikenteen toimivuuden varmistaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
1
requirements

Examples of other requirements this task affects

VAR-06: Tietoliikenteen varmistaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietoliikenteen toimivuuden varmistaminen
1. Task description

In telecommunication services and contracts, the availability of services that are important for operations in the event of disruptions has been taken into account.

The network environments and telecommunication services of important services are verified, for example, by duplication. Communication can be physically duplicated along two different routes by two different operators.

In important environments, it is ensured that the failure of a single communication component does not interrupt the operation of the service.

For example, a separate communication connection can be installed on selected workstations, which you can access the public information network through.

The fault tolerance of connections outside of Finland should also be taken into account during the contract phase.

Prioritization of partners based on criticality
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
3
requirements

Examples of other requirements this task affects

ID.SC-2: Suppliers and third party partners of information systems
NIST
ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Prioritization of partners based on criticality
1. Task description

Organization should prioritize their partners based on:

  • Sensitivity and confidentiality of data processed or possessed by suppliers
  • The degree of access to the organization’s systems
  • The importance of the products or services to the organization’s mission
Supply chain cyber security risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
15
requirements

Examples of other requirements this task affects

ID.SC-1: Cyber supply chain
NIST
21.3: Defining and monitoring required supply chain security measures
NIS2
CC3.2: Identification of risks related to objectives
SOC 2
Article 28: General principles
DORA
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Supply chain cyber security risk management
1. Task description

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

  • Evaluating interdependencies
  • Assessing risks related to contracts provided by third parties
  • Addressing the scalability of risk management based on the organization's size and needs
Defining supplier types that can access confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
6
requirements

Examples of other requirements this task affects

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST
5.19: Information security in supplier relationships
ISO 27001
6.1.1: Partner Information security
TISAX
See all related requirements and other information from tasks own page.
Go to >
Defining supplier types that can access confidential data
1. Task description

We define in advance the types of suppliers with whom cooperation requires access to confidential information or their processing areas, and through this e.g. demands data processing contracts. Such supplier types can be, for example, IT services, logistics, financial management and IT infrastructure components.

Criteria for high priority partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
20
requirements

Examples of other requirements this task affects

15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
TSU-04: Henkilötietojen käsittelijä
Julkri
5.19: Information security in supplier relationships
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Criteria for high priority partners
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Minimum requirements for partner companies to gain access to different levels of information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
8
requirements

Examples of other requirements this task affects

15.1.1: Information security policy for supplier relationships
ISO 27001
15.1.3: Information and communication technology supply chain
ISO 27001
ID.BE-1: Role in supply chain
NIST
5.21: Managing information security in the ICT supply chain
ISO 27001
6.5: Tietojärjestelmien perustiedot, kuvaukset ja olennaisten vaatimusten täyttyminen
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Minimum requirements for partner companies to gain access to different levels of information
1. Task description

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

Defined security arrangements for providing critical network equipment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
12
requirements

Examples of other requirements this task affects

13.1.2: Security of network services
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.BE-5: Resilience requirements
NIST
DE.CM-1: The network monitoring
NIST
5.22: Monitoring, review and change management of supplier services
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Defined security arrangements for providing critical network equipment
1. Task description

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

  • required security-related technologies such as authentication, encryption technology, and network connection management tools
  • the technical parameters required for a secure connection to network services
  • online service usage criteria that restrict access to the online service or applications as needed
Exit strategies for critical ICT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
2
requirements

Examples of other requirements this task affects

Article 28: General principles
DORA
See all related requirements and other information from tasks own page.
Go to >
Exit strategies for critical ICT services
1. Task description

Organization has put in place exit strategies for any ICT services supporting critical or important functions to prepare for possible failures, deteriorations of quality or other business disruptions related service.

Exit strategies ensure that the organization can exit related contractual arrangements without:

  • disruption to their business activities
  • non-compliance with regulatory requirements
  • detriment to continuity and quality of services provided

Exit plans are comprehensive, documented and sufficiently tested and reviewed periodically.

As part of exit strategies, organisation has also identified alternative solutions and developed transition plans enabling them to switch services and transfer relevant data securely.

Safe termination of critical relationships
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Safe termination of critical relationships
1. Task description

The Organization should have defined and documented processes for terminating critical relationships with suppliers in both normal and adverse circumstances. Adverse circumstances could include:

  • Data breach or security incident
  • Legal, ethical or regulatory violations
  • Contract breach or service failure

The processes should at least define:

  • How assets containing organization's data are returned or disposed safely and supplier access to organizational resources is removed
  • System continuity and resilience e.g. how dependent operations are kept functional when removing or changing supplier
  • Component end-of-life maintenance support and obsolescence
  • Means to prevent and mitigate data leakage or risks related to data and systems with supplier termination
Evaluation of prospective suppliers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Evaluation of prospective suppliers
1. Task description

All potential suppliers, providers of critical resources and other relevant third-parties are assessed before acquisition with means such as:

  • Performing thorough due diligence that is proper to level of risk, criticality, and complexity of each supplier relationship and procurement planning
  • Assessing the suitability of the technology and the risk management and cybersecurity practices
  • Conducting supplier risk assessments against business and applicable cybersecurity requirements
  • Assessing the authenticity, integrity, and security of critical products prior to acquisition and use
Classifying service providers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Classifying service providers
1. Task description

The organization establishes criteria for classifying service providers based on factors such as data sensitivity, volume, availability, regulatory compliance, and risk levels, regularly updating these classifications to manage potential impacts on the organization effectively.

Tietoteknisten ympäristöjen toimivuuden varmistaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
2
requirements

Examples of other requirements this task affects

VAR-07: Tietoteknisten ympäristöjen varmentaminen
Julkri
6.11: Alusta- ja verkkopalvelujen tietoturvallinen käyttö tietosuojan ja varautumisen kannalta
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Tietoteknisten ympäristöjen toimivuuden varmistaminen
1. Task description

Tietoteknisissä ympäristöissä ja niihin liittyvissä sopimuksissa on huomioitu toiminnan kannalta tärkeiden palveluiden saatavuus häiriötilanteissa.

Tärkeiden palvelujen tietotekniset ympäristöt varmennetaan esimerkiksi kahdentamalla siten, että yksittäisten komponenttien vikaantumiset eivät aiheuta toiminnan edellyttämää palvelutasoa pidempiä käyttökatkoja.

Tietotekniset ympäristöt voidaan varmentaa varavoimalla tai varavoimaliitännöillä siten, että sähkönjakelu voidaan käynnistää riittävän nopeasti ja ylläpitää sitä riittävän ajan suhteessa toiminnan vaatimuksiin.

Required security objectives for cloud service subcontractors related to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
1
requirements

Examples of other requirements this task affects

15.1.3: Information and communication technology supply chain
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Required security objectives for cloud service subcontractors related to offered cloud services
1. Task description

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

Confirming information security roles and responsibilities related to utilized cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
12
requirements

Examples of other requirements this task affects

15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
15.1.3: Information and communication technology supply chain
ISO 27017
5.23: Information security for use of cloud services
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Confirming information security roles and responsibilities related to utilized cloud services
1. Task description

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

  • Malware protection
  • Cryptographic controls
  • Backup
  • Vulnerability and incident management
  • Compliance and security testing
  • Authentication, identity and access management
Multiple providers for critical network equipment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
11
requirements

Examples of other requirements this task affects

13.1.2: Security of network services
ISO 27001
ID.BE-4: Dependencies and critical functions
NIST
ID.BE-5: Resilience requirements
NIST
VAR-08: Vikasietoisuus
Julkri
8.14: Redundancy of information processing facilities
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Multiple providers for critical network equipment
1. Task description

For example, when the fault tolerance of a telecommunication network is critical, it can be further improved by procuring basic network services through several routes and through several service providers.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.