Content library
CIS 18 controls
15.4: Ensure Service Provider Contracts Include Security Requirements

Requirement description

Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach notification
and response, data encryption requirements, and data disposal commitments. These security
requirements must be consistent with the enterprise’s service provider management policy. Review
service provider contracts annually to ensure contracts are not missing security requirements.

How to fill the requirement

CIS 18 controls

15.4: Ensure Service Provider Contracts Include Security Requirements

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
27
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Management of procurement and use of external IT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

1.3.3: Use of approved external IT services
TISAX
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Management of procurement and use of external IT services
1. Task description

External IT services are not used without explicit assessment and implementation of the information security requirements:

  • A risk assessment of the external IT services is available
  • Legal, regulatory, and contractual requirements are considered

The external IT service must meet the needed requirements for data they will handle.

  • Organisation should have a procedure to determine if the external IT service meets the requirements before being allowed access to the data
  • Before starting to use external IT services (like cloud services, software, or third-party IT support), the service must meet organisations requirements (e.g. for compatibility, security, cost-effectiveness, and alignment with organizational needs)

The organisation must review at regular intervals that only approved external IT services are used.

Communicating responsibilities to suppliers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

PR.AT-3: Third-party stakeholders
NIST
1.2.4: Definition of responsibilities with service providers
TISAX
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
CyberFundamentals
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
CyberFundamentals
GV.SC-02: Establishing and communicating cybersecurity roles for suppliers, customers, and partners
NIST 2.0
See all related requirements and other information from tasks own page.
Go to >
Communicating responsibilities to suppliers
1. Task description

The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.

Service level requirements in contracts related to the data processing environment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

28: Palvelutasovaatimukset sopimuksissa
Digiturvan kokonaiskuvapalvelu
Article 30: Key contractual provisions
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Service level requirements in contracts related to the data processing environment
1. Task description

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.