General rules for the procurement of data systems

Critical
High
Normal
Low

Whenever new data systems are acquired, a pre-defined procurement process and rules are followed. The rules ensure that the supplier is able to guarantee an adequate level of security, taking into account the priority of the system.

Connected other frameworks and requirements:
14.1.1: Information security requirements analysis and specification
ISO 27001
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
5.23: Information security for use of cloud services
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2

Criteria for high priority partners

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Connected other frameworks and requirements:
15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF
5.19: Information security in supplier relationships
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2
No items found.