Use of approved external IT services

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

The organization shall identify

• the stakeholders relevant to the security management system
• the security requirements set by these stakeholders

Data system providers and personal data processors are treated through separate tasks.

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Minimum security requirements have been set for partner companies handling our confidential information and these have been included in supplier agreements. Requirements vary depending on how critical information the partner handles.

It makes sense for requirements to consist of rules and practices that are followed in your own organization. You can divide the requirement levels into low, medium and high risk suppliers.

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

External IT services are not used without explicit assessment and implementation of the information security requirements:

• A risk assessment of the external IT services is available
• Legal, regulatory, and contractual requirements are considered

The external IT service must meet the needed requirements for data they will handle.

• Organisation should have a procedure to determine if the external IT service meets the requirements before being allowed access to the data
• Before starting to use external IT services (like cloud services, software, or third-party IT support), the service must meet organisations requirements (e.g. for compatibility, security, cost-effectiveness, and alignment with organizational needs)

The organisation must review at regular intervals that only approved external IT services are used.

The organization must take into account the risks caused by partners when managing information security risks. If necessary, separate theme-specific risk assessments can be made for critical partners.