Information and communication technology supply chain

When involving subprocessors in processing personal data related to offered cloud services, the organization ensures that contracts clearly specify the minimum technical and organizational security measures required from subprocessors.

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

• Malware protection
• Cryptographic controls
• Backup
• Vulnerability and incident management
• Compliance and security testing
• Authentication, identity and access management