The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.
The organization must prioritize partners based on the confidentiality of the information processed.