Content library
TISAX: Information security
1.3.3: Use of approved external IT services

Requirement description

Objective: Particularly in the case of external IT services that can be used at relatively low cost or free of charge, there is an increased risk that procurement and commissioning will be carried out without appropriate consideration of the information security requirements and that security therefore is not ensured.

Requirements (must): External IT services are not used without explicit assessment and implementation of the information security requirements:
- A risk assessment of the external IT services is available,
- Legal, regulatory, and contractual requirements are considered.
The external IT services have been harmonized with the protection need of the processed information assets.

Requirements (should): Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled.
A procedure for release in consideration of the protection need is established.
External IT services and their approval are documented.
It is verified at regular intervals that only approved external IT services are used.

How to fill the requirement

TISAX: Information security

1.3.3: Use of approved external IT services

Task name
Priority
Status
Theme
Policy
Other requirements
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
44
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.2.4: Definition of responsibilities with service providers
TISAX
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
See all related requirements and other information from tasks own page.
Go to >
Data processing partner listing and owner assignment
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Management of procurement and use of external IT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

1.3.3: Use of approved external IT services
TISAX
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Management of procurement and use of external IT services
1. Task description

External IT services are not used without explicit assessment and implementation of the information security requirements:

  • A risk assessment of the external IT services is available
  • Legal, regulatory, and contractual requirements are considered

The external IT service must meet the needed requirements for data they will handle.

  • Organisation should have a procedure to determine if the external IT service meets the requirements before being allowed access to the data
  • Before starting to use external IT services (like cloud services, software, or third-party IT support), the service must meet organisations requirements (e.g. for compatibility, security, cost-effectiveness, and alignment with organizational needs)

The organisation must review at regular intervals that only approved external IT services are used.

Criteria for suppliers of high priority data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
23
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Criteria for suppliers of high priority data systems
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Minimum requirements for partner companies to gain access to different levels of information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
8
requirements

Examples of other requirements this task affects

15.1.1: Information security policy for supplier relationships
ISO 27001
15.1.3: Information and communication technology supply chain
ISO 27001
ID.BE-1: Role in supply chain
NIST
5.21: Managing information security in the ICT supply chain
ISO 27001
6.5: Tietojärjestelmien perustiedot, kuvaukset ja olennaisten vaatimusten täyttyminen
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Minimum requirements for partner companies to gain access to different levels of information
1. Task description

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

Criteria for high priority partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
23
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Criteria for high priority partners
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Documentation of other stakeholders
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
19
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.3.3: Use of approved external IT services
TISAX
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Documentation of other stakeholders
1. Task description

The organization shall identify

  • the stakeholders relevant to the security management system
  • the security requirements set by these stakeholders

Data system providers and personal data processors are treated through separate tasks.

Consideration of partner risks in information security risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
3
requirements

Examples of other requirements this task affects

CC9.2: Partner risk management
SOC 2
1.3.3: Use of approved external IT services
TISAX
30 § 2°: Évaluation des risques et mesures de gestion
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Consideration of partner risks in information security risk management
1. Task description

The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.



Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.