Ensure Service Provider Contracts Include Security Requirements

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

• the data used by the supplier (and possible data classification) and staff receiving access to data
• rules on the acceptable use of data
• confidentiality requirements for data processing staff
• parties responsibilities in meeting regulatory requirements
• parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
• reporting and correcting incidents
• requirements for the use of subcontractors
• allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
• a commitment to return or destroy data at the end of the contract
• the supplier's responsibility to comply with organization's security guidelines

External IT services are not used without explicit assessment and implementation of the information security requirements:

• A risk assessment of the external IT services is available
• Legal, regulatory, and contractual requirements are considered

The external IT service must meet the needed requirements for data they will handle.

• Organisation should have a procedure to determine if the external IT service meets the requirements before being allowed access to the data
• Before starting to use external IT services (like cloud services, software, or third-party IT support), the service must meet organisations requirements (e.g. for compatibility, security, cost-effectiveness, and alignment with organizational needs)

The organisation must review at regular intervals that only approved external IT services are used.

The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).