Content library
Agreements and monitoring
Evaluation of data processing agreement for important data processors

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of customer groups whose information is processed by the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
8
requirements

Examples of other requirements this task affects

CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
CLD 8.1.5: Removal of cloud service customer assets
ISO 27017
A.8.2.1: Customer agreement
ISO 27701
4.2: Interested parties
ISO27k1 Full
See all related requirements and other information from tasks own page.
Go to >
Documentation of customer groups whose information is processed by the organization
1. Task description

Organisation must define

  • stakeholders relevant to the information security management system
  • information security requirements set by these stakeholders

Customer groups or individual significant customers that are important to the organization's operations are usually one of the most important stakeholders, also from the point of view of information security. Other stakeholders are treated through other tasks.

Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
24
requirements

Examples of other requirements this task affects

28. Data processor
GDPR
15.1.3: Information and communication technology supply chain
ISO27 Full
A.7.2.6: Contracts with PII processors
ISO 27701
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
TSU-04: Henkilötietojen käsittelijä
Julkri
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
41
requirements

Examples of other requirements this task affects

26. Joint controllers
GDPR
28. Data processor
GDPR
44. General principle for transfers
GDPR
8.1.1: Inventory of assets
ISO27 Full
13.2.2: Agreements on information transfer
ISO27 Full
See all related requirements and other information from tasks own page.
Go to >
Data processing partner listing and owner assignment
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Service level requirements in contracts related to the data processing environment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

28: Palvelutasovaatimukset sopimuksissa
Sec overview
Article 30: Key contractual provisions
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Service level requirements in contracts related to the data processing environment
1. Task description

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).

Communicating responsibilities to suppliers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

PR.AT-3: Third-party stakeholders
NIST
1.2.4: Definition of responsibilities with service providers
TISAX
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
CyFun
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Communicating responsibilities to suppliers
1. Task description

The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.

Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
3
requirements

Examples of other requirements this task affects

A.11.12: Sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services
1. Task description

When involving subprocessors in processing personal data related to offered cloud services, the organization ensures that contracts clearly specify the minimum technical and organizational security measures required from subprocessors.

Keeping contact with relevant authorities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
14
requirements

Examples of other requirements this task affects

6.1.3: Contact with authorities
ISO27 Full
RC.CO-1: Public relations
NIST
5.5: Contact with authorities
ISO27k1 Full
23.1: Incident notifications to CSIRT and recipients of services
NIS2
CC2.3: Communication with external parties
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Keeping contact with relevant authorities
1. Task description

The organization lists the relevant government actors with whom it is important to actively contact and, if necessary, get in touch quickly. These authorities include national law enforcement and supervisory authorities.

A clear contact person should be defined for the relevant authorities to act as a contact point for the organization.

Maintaining contact with cloud-related special interest groups
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

ID.RA-2: Cyber threat intelligence
NIST
6.1.4: Contact with special interest groups
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Maintaining contact with cloud-related special interest groups
1. Task description

The organization should actively maintain contacts with cloud-related stakeholders and other relevant parties related to the organization's operations.

Documentation of other stakeholders
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
16
requirements

Examples of other requirements this task affects

HAL-04.6: Suojattavat kohteet - sidosryhmät
Julkri
HAL-05: Vaatimukset
Julkri
4.2: Interested parties
ISO27k1 Full
3: Keskeisten sidos- ja asiakasryhmien kartoitus
Sec overview
21.2.d: Supply chain security
NIS2
See all related requirements and other information from tasks own page.
Go to >
Documentation of other stakeholders
1. Task description

The organization shall identify

  • the stakeholders relevant to the security management system
  • the security requirements set by these stakeholders

Data system providers and personal data processors are treated through separate tasks.

Definition of supplier-specific responsible persons
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

8.1.2: Ownership of assets
ISO27 Full
15.2.2: Managing changes to supplier services
ISO27 Full
ID.SC-4: Audit suppliers and third-party partners
NIST
CC9.2: Partner risk management
SOC 2
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Definition of supplier-specific responsible persons
1. Task description

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

Monitoring suppliers' compliance with security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
27
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.GV-2: Cybersecurity role coordination
NIST
ID.SC-1: Cyber supply chain
NIST
See all related requirements and other information from tasks own page.
Go to >
Monitoring suppliers' compliance with security requirements
1. Task description

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Definition of information sharing agreements and notification obligations
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
5
requirements

Examples of other requirements this task affects

Chapter VI: Information-sharing arrangements
DORA
Article 45: Information-sharing arrangements on cyber threat information and intelligence
DORA
See all related requirements and other information from tasks own page.
Go to >
Definition of information sharing agreements and notification obligations
1. Task description

Define participation conditions in information-sharing arrangements and notify competent authorities of participation.

  1. Define participation conditions in information-sharing arrangements, including the involvement of public authorities and their potential roles, participation of ICT third-party service providers, and operational details such as the use of dedicated IT platforms.
  2. Notify competent authorities of participation in information-sharing arrangements, upon validation of membership, or, as applicable, of cessation of membership once it takes effect.
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

Article 29: Preliminary assessment of ICT concentration risk at entity level
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
1. Task description

When assessing risks related to ICT services supporting critical functions, financial entities should consider:

  • Whether contracting with a non-substitutable ICT service provider is involved.
  • The implications of multiple contracts with the same or closely connected ICT service providers.
  • Evaluating alternative solutions like using different service providers, aligning with business needs and digital resilience strategy.

Regarding subcontracting:

  • Financial entities should assess benefits and risks of subcontracting, especially when subcontractors are based in third countries.
  • Consideration of insolvency law provisions in case of the service provider's bankruptcy and constraints on data recovery.
  • Compliance with Union data protection rules and law enforcement in third countries.
  • Assessment of potential impacts of complex subcontracting chains on monitoring and supervisory abilities.
Key contractual requirements for service providers supporting critical functions
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

Article 30: Key contractual provisions
DORA
See all related requirements and other information from tasks own page.
Go to >
Key contractual requirements for service providers supporting critical functions
1. Task description

The contractual agreements for critical ICT services should include:

  • Detailed service level descriptions with clear performance targets for effective monitoring and corrective actions.
  • Notice periods and reporting obligations for any developments affecting service provision.
  • Contingency plans, security measures, and policies for business continuity and regulatory compliance.
  • Participation in the financial entity's TLPT.
  • Rights to monitor performance through access, inspection, and audits, with provisions for alternative assurance levels.
  • Cooperation during inspections and audits by competent authorities or appointed parties.
  • Details on scope, procedures, and frequency of inspections and audits.
  • Exit strategies, including transition periods for seamless migration or restructuring.
  • Option for microenterprises to delegate monitoring rights to an independent third party appointed by the service provider.
Management of procurement and use of external IT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

1.3.3: Use of approved external IT services
TISAX
See all related requirements and other information from tasks own page.
Go to >
Management of procurement and use of external IT services
1. Task description

External IT services are not used without explicit assessment and implementation of the information security requirements:

  • A risk assessment of the external IT services is available
  • Legal, regulatory, and contractual requirements are considered

The external IT service must meet the needed requirements for data they will handle.

  • Organisation should have a procedure to determine if the external IT service meets the requirements before being allowed access to the data
  • Before starting to use external IT services (like cloud services, software, or third-party IT support), the service must meet organisations requirements (e.g. for compatibility, security, cost-effectiveness, and alignment with organizational needs)

The organisation must review at regular intervals that only approved external IT services are used.

Assigning of a Public Relations Officer
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

RC.CO-1: Public relations are managed.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Assigning of a Public Relations Officer
1. Task description

The organization coordinates how relations with the public are managed by implementing a structured public relations management process. The organization assigns a dedicated Public Relations Officer (PRO) to handle all media interactions, manage requests for interviews, triage phone calls and emails requests, and ensure that public-facing information aligns with organizational policies.

Establishing agreements with third parties to provide consultation during an incident
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

4.1.4: Establish agreements with relevant third parties
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Establishing agreements with third parties to provide consultation during an incident
1. Task description

The organization should establish agreements with relevant third parties to provide consultation if needed during an incident.

These third parties could include, e.g., CERTs (Computer Emergency Response Teams), IT specialists in various fields, and equipment or software providers.

Process for handling and sharing vulnerability disclosures
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

RS.AN-5: Processes are established to receive, analyse, and respond to vulnerabilities disclosed to the organization from internal and external sources.
CyFun
See all related requirements and other information from tasks own page.
Go to >
Process for handling and sharing vulnerability disclosures
1. Task description

Organization establishes processes and means to handle and share vulnerability disclosures such as:

  • Processes for receiving, analyzing, and responding to vulnerability disclosures from suppliers, customers, partners, and government cybersecurity organizations
  • Vulnerability information sharing between the organization and suppliers, following contractual rules and protocols
  • Assigning responsibilities to relevant personnel for processing and analyzing the impact of disclosed cybersecurity threats, vulnerabilities, or incidents
Implementation of cyber security measures (Lithuania)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Implementation of cyber security measures (Lithuania)
1. Task description

The organization must implement the cyber security risk management measures in 12 months after their registration in the Cyber Security Information System or a deadline set by the government. Data on the implementation of cyber security risk management measures must be submitted to the National Cyber ​​Security Center in accordance with the procedure established in the regulations of the Cyber ​​Security Information System.

Collection and monitoring of supplier-specific privacy commitments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

CC9.2: Partner risk management
SOC 2
2.1.4: Reduce the risk of targeted manipulation of ICT products in the supply chain
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Collection and monitoring of supplier-specific privacy commitments
1. Task description

The organization must obtain confidentiality commitments:

  • from vendors
  • business partners

Furthermore, privacy commitments must be obtained:

  • in addition to obtaining commitments from sellers
  • business partners

the organization must assess:

  • compliance with data protection commitments of sellers and business partners
  • compliance with confidentiality obligations of sellers and business partners
Contact with industry-specific interest groups
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
12
requirements

Examples of other requirements this task affects

6.1.4: Contact with special interest groups
ISO27 Full
ID.RA-2: Cyber threat intelligence
NIST
RS.CO-5: Voluntary information sharing
NIST
RC.CO-1: Public relations
NIST
5.6: Contact with special interest groups
ISO27k1 Full
See all related requirements and other information from tasks own page.
Go to >
Contact with industry-specific interest groups
1. Task description

The organization shall actively maintain contacts with stakeholders relevant to the organization's operations and other relevant actors related to the organization's operations and security.

The goal is especially to:

  • increase knowledge of best practices and keep up to date with relevant security information
  • ensure that organisation's understanding of the security environment is up-to-date and complete
Terms and conditions to limit changes directly affecting customer environments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Terms and conditions to limit changes directly affecting customer environments
1. Task description

Supplier and partner agreements should include requirements that directly limit changes affecting customer environments.

Changes should be explicitly approved and included in the scope of service level agreements.

Managing changes to supplier services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
6
requirements

Examples of other requirements this task affects

15.2.2: Managing changes to supplier services
ISO27 Full
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
CC3.4: Identification and assesment of changes
SOC 2
CC9.2: Partner risk management
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Managing changes to supplier services
1. Task description

The responsible person monitors significant changes in the supplier's operations that may affect the supplier relationship and service level, and thus require other measures. The following aspects are taken into account:

  • direct changes to supplier agreements
  • service content improvements, new technologies or the development of new services
  • significant changes in operating methods (either related to cyber security or other activities)
  • changes in the physical location of the data
  • changes in the supply chain / subcontracting process
Evaluation of data processing agreement for important data processors
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

28. Data processor
GDPR
15.1.2: Addressing security within supplier agreements
ISO27 Full
TSU-04.1: Henkilötietojen käsittelijä - Sopimukset
Julkri
5.20: Addressing information security within supplier agreements
ISO27k1 Full
P6.5: Notification of unauthorized disclosure of personal information from third parties
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Evaluation of data processing agreement for important data processors
1. Task description

Data processing agreements bind the actions of a personal data processing partner.

It can be important for us to require an important partner to take care of e.g. ensuring the confidentiality requirements for its personnel and restricting the use of other processors of personal data in connection with our data.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.