Content library
Julkri: TL IV-I
TSU-04: Henkilötietojen käsittelijä

How to fill the requirement

Julkri: TL IV-I

TSU-04: Henkilötietojen käsittelijä

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
requirements

Task is fulfilling also these other security requirements

28. Data processor
GDPR
15.1.3: Information and communication technology supply chain
ISO27 Full
A.7.2.6: Contracts with PII processors
ISO 27701
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
TSU-04: Henkilötietojen käsittelijä
Julkri
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
requirements

Task is fulfilling also these other security requirements

28. Data processor
GDPR
44. General principle for transfers
GDPR
26. Joint controllers
GDPR
15.1.1: Information security policy for supplier relationships
ISO27 Full
8.1.1: Inventory of assets
ISO27 Full
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Criteria for high priority partners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Supplier security
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
ID.BE-1: Role in supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
TSU-04: Henkilötietojen käsittelijä
Julkri
5.19: Information security in supplier relationships
ISO27k1 Full
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Criteria for suppliers of high priority data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

15.1.1: Information security policy for supplier relationships
ISO27 Full
14.1.1: Information security requirements analysis and specification
ISO27 Full
15.2.1: Monitoring and review of supplier services
ISO27 Full
ID.SC-1: Cyber supply chain
NIST
ID.SC-4: Audit suppliers and third-party partners
NIST
1. Task description

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

No items found.