Content library
NSM ICT Security Principles (Norway)
2.1.9: Maintain security responsibility during outsourcing

Requirement description

Maintain security responsibility during outsourcing. This includes a) staying in control of the entire life cycle of the service(s) being outsourced, b) procurement expertise (e.g. management, administrative and IT architecture expertise) for the duration of the outsourcing, c) conducting adequate risk assessments which includes ICT throughout the entire life cycle, d) a requirement document for every stage of the outsourcing e) contracts on the outsourcing of ICT services, and amendments to such contracts, in accordance with the organisation’s authority hierarchy. See also chapter – Outsourcing and cloud services and it must be stressed that the organisation’s security obligations do not end when one outsources. The organisation remains responsible regardless of who is performing the tasks.

How to fill the requirement

NSM ICT Security Principles (Norway)

2.1.9: Maintain security responsibility during outsourcing

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
26
requirements

Examples of other requirements this task affects

28. Data processor
GDPR
15.1.3: Information and communication technology supply chain
ISO 27001
A.7.2.6: Contracts with PII processors
ISO 27701
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
TSU-04: Henkilötietojen käsittelijä
Julkri
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
3
requirements

Examples of other requirements this task affects

Article 29: Preliminary assessment of ICT concentration risk at entity level
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
Article 34: ICT operations security
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
1. Task description

When assessing risks related to ICT services supporting critical functions, financial entities should consider:

  • Whether contracting with a non-substitutable ICT service provider is involved.
  • The implications of multiple contracts with the same or closely connected ICT service providers.
  • Evaluating alternative solutions like using different service providers, aligning with business needs and digital resilience strategy.

Regarding subcontracting:

  • Financial entities should assess benefits and risks of subcontracting, especially when subcontractors are based in third countries.
  • Consideration of insolvency law provisions in case of the service provider's bankruptcy and constraints on data recovery.
  • Compliance with Union data protection rules and law enforcement in third countries.
  • Assessment of potential impacts of complex subcontracting chains on monitoring and supervisory abilities.
Process for monitoring and tracking outsourced development work
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
14
requirements

Examples of other requirements this task affects

14.2.7: Outsourced development
ISO 27001
DE.CM-6: External service provider activity monitoring
NIST
8.30: Outsourced development
ISO 27001
8.28: Secure coding
ISO 27001
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Process for monitoring and tracking outsourced development work
1. Task description

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

  • policies for reviewing and approving generated code
  • evidence of testing activities performed by the partner
  • communication practices
  • contractual rights to audit the development process and management tools
  • documentation requirements for code generation
Supply chain cyber security risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
17
requirements

Examples of other requirements this task affects

ID.SC-1: Cyber supply chain
NIST
21.3: Defining and monitoring required supply chain security measures
NIS2
CC3.2: Identification of risks related to objectives
SOC 2
Article 28: General principles
DORA
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Supply chain cyber security risk management
1. Task description

The organization agrees upon and implements a common information security risk management procedure and processes with stakeholders.

The organization should seek to integrate third-party risk management into its overall information security risk management. This should involve:

  • Evaluating interdependencies
  • Assessing risks related to contracts provided by third parties
  • Addressing the scalability of risk management based on the organization's size and needs
Service level requirements in contracts related to the data processing environment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

28: Palvelutasovaatimukset sopimuksissa
Digiturvan kokonaiskuvapalvelu
Article 30: Key contractual provisions
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Service level requirements in contracts related to the data processing environment
1. Task description

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.