Learn more about the connected frameworks

6.1.4
ISO 27017

Contact with special interest groups

ID.RA-2
NIST CSF

Cyber threat intelligence

Other tasks from the same security theme

Documentation of customer groups whose information is processed by the organization

Critical
High
Normal
Low

Organisation must define

  • stakeholders relevant to the information security management system
  • information security requirements set by these stakeholders

Customer groups or individual significant customers that are important to the organization's operations are usually one of the most important stakeholders, also from the point of view of information security. Other stakeholders are treated through other tasks.

CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
CLD 8.1.5: Removal of cloud service customer assets
ISO 27017
A.8.2.1: Customer agreement
ISO 27701
4.2: Interested parties
ISO 27001

Documentation of partner contract status

Critical
High
Normal
Low

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
28. Processor
GDPR
15.1.3: Information and communication technology supply chain
ISO 27001
A.7.2.6: Contracts with PII processors
ISO 27701
5.21: Managing information security in the ICT supply chain
ISO 27001

Data processing partner listing and owner assignment

Critical
High
Normal
Low

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

28. Processor
GDPR
44. General principle for transfers
GDPR
26. Joint controllers
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
8.1.1: Inventory of assets
ISO 27001

Service level requirements in contracts related to the data processing environment

Critical
High
Normal
Low

The organization has included the service level requirements necessary for the continuity of operations as part of procurement requirements and contracts.

In particular, it is important to agree on the parts of the data processing environment that are necessary for critical functions (e.g. the information systems and partners that support these functions) in a way that guarantees sufficient availability of services. Contracts can include requirements, e.g. general service level (SLA) and recovery from problem situations (RPO, RTO).

No items found.

Communicating responsibilities to suppliers

Critical
High
Normal
Low

The organization must communicate to suppliers their roles and responsibilities in supply chain security. It must also be ensured that suppliers understand their security guidelines and any other security responsibilities under the agreements.

PR.AT-3: Third-party stakeholders
NIST CSF

Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services

Critical
High
Normal
Low

When involving subprocessors in processing personal data related to offered cloud services, the organization ensures that contracts clearly specify the minimum technical and organizational security measures required from subprocessors. 

A.11.12: Sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017

Keeping contact with relevant authorities

Critical
High
Normal
Low

The organization lists the relevant government actors with whom it is important to actively contact and, if necessary, get in touch quickly. These authorities include national law enforcement and supervisory authorities.

A clear contact person should be defined for the relevant authorities to act as a contact point for the organization.

6.1.3: Contact with authorities
ISO 27001
RC.CO-1: Public relations
NIST CSF
5.5: Contact with authorities
ISO 27001

Maintaining contact with cloud-related special interest groups

Critical
High
Normal
Low

The organization should actively maintain contacts with cloud-related stakeholders and other relevant parties related to the organization's operations.

ID.RA-2: Cyber threat intelligence
NIST CSF
6.1.4: Contact with special interest groups
ISO 27017

Documentation of other stakeholders

Critical
High
Normal
Low

The organization shall identify

  • the stakeholders relevant to the security management system
  • the security requirements set by these stakeholders

Data system providers and personal data processors are treated through separate tasks.

4.2: Interested parties
ISO 27001

Definition of supplier-specific responsible persons

Critical
High
Normal
Low

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

8.1.2: Ownership of assets
ISO 27001
15.2.2: Managing changes to supplier services
ISO 27001
ID.SC-4: Audit suppliers and third-party partners
NIST CSF

Monitoring suppliers' compliance with security requirements

Critical
High
Normal
Low

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST CSF
ID.SC-1: Cyber supply chain
NIST CSF

Collection and monitoring of supplier-specific privacy commitments

Critical
High
Normal
Low

The organization must obtain confidentiality commitments:

  • from vendors
  • business partners

Furthermore, privacy commitments must be obtained:

< ul>
  • in addition to obtaining commitments from sellers
  • business partners
  • the organization must assess:

    • compliance with data protection commitments of sellers and business partners
    • compliance with confidentiality obligations of sellers and business partners
    No items found.

    Contact with industry-specific interest groups

    Critical
    High
    Normal
    Low

    The organization shall actively maintain contacts with stakeholders relevant to the organization's operations and other relevant actors related to the organization's operations and security.

    The goal is especially to:

    • increase knowledge of best practices and keep up to date with relevant security information
    • ensure that organisation's understanding of the security environment is up-to-date and complete
    6.1.4: Contact with special interest groups
    ISO 27001
    ID.RA-2: Cyber threat intelligence
    NIST CSF
    RS.CO-5: Voluntary information sharing
    NIST CSF
    RC.CO-1: Public relations
    NIST CSF
    5.6: Contact with special interest groups
    ISO 27001

    Terms and conditions to limit changes directly affecting customer environments

    Critical
    High
    Normal
    Low

    Supplier and partner agreements should include requirements that directly limit changes affecting customer environments.

    Changes should be explicitly approved and included in the scope of service level agreements.

    No items found.

    Managing changes to supplier services

    Critical
    High
    Normal
    Low

    The responsible person monitors significant changes in the supplier's operations that may affect the supplier relationship and service level, and thus require other measures. The following aspects are taken into account:

    • direct changes to supplier agreements
    • service content improvements, new technologies or the development of new services
    • significant changes in operating methods (either related to cyber security or other activities)
    • changes in the physical location of the data
    • changes in the supply chain / subcontracting process
    15.2.2: Managing changes to supplier services
    ISO 27001

    Evaluation of data processing agreement for important data processors

    Critical
    High
    Normal
    Low

    Data processing agreements bind the actions of a personal data processing partner.

    It can be important for us to require an important partner to take care of e.g. ensuring the confidentiality requirements for its personnel and restricting the use of other processors of personal data in connection with our data.

    28. Processor
    GDPR
    15.1.2: Addressing security within supplier agreements
    ISO 27001
    5.20: Addressing information security within supplier agreements
    ISO 27001