Content library
CyberFundamentals (Belgium)
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

Requirement description

Based on the results of the cyber supply chain risk assessment, a contractual framework for suppliers and external partners shall be established to address sharing of sensitive information and distributed and interconnected ICT/OT products and services.
Guidance
- Entities not subject to the NIS legislation should consider business critical suppliers and third-party partners only.
- Keep in mind that GDPR requirements need to be fulfilled when business information contains personal data (applicable on all levels), i.e. security measures need to be addressed in the contractual framework.

Contractual ‘information security and cybersecurity’ requirements for suppliers and thirdparty partners shall be implemented to ensure a verifiable flaw remediation process, and to ensure the correction of flaws identified during ‘information security and cybersecurity’ testing and evaluation.
Guidance
- Information systems containing software (or firmware) affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws) should be identified.
- Newly released security relevant patches, service packs, and hot fixes should be installed, and these patches, service packs, and hot fixes are tested for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation should be incorporated into configuration management as an emergency change.

The organization shall establish contractual requirements permitting the organization to review the ‘information security and cybersecurity’ programs implemented by suppliers and third-party partners.

How to fill the requirement

CyberFundamentals (Belgium)

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

Task name
Priority
Status
Theme
Policy
Other requirements
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
44
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.2.4: Definition of responsibilities with service providers
TISAX
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
See all related requirements and other information from tasks own page.
Go to >
Data processing partner listing and owner assignment
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
27
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Monitoring suppliers' compliance with security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
31
requirements

Examples of other requirements this task affects

Članak 30.2: Dobavljačka kibernetička sigurnost i rizici
NIS2 Croatia
1.2.4: Definition of responsibilities with service providers
TISAX
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.10: Review the service provider’s security when outsourcing
NSM ICT-SP
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Monitoring suppliers' compliance with security requirements
1. Task description

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Regular security assessment of partners in the supply chain of provided digital services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
15
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
2.1.4: Reduce the risk of targeted manipulation of ICT products in the supply chain
NSM ICT-SP
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Regular security assessment of partners in the supply chain of provided digital services
1. Task description

The organization shall define a security assessment and conduct it on a regular basis for the partners in the supply chain of the digital services provided.

This should ensure the compliance of the partners affecting the security of the services provided and thus the fulfillment of the terms of the contract.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.