Data processing partner listing and owner assignment

Critical
High
Normal
Low

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Connected other frameworks and requirements:
28. Processor
GDPR
44. General principle for transfers
GDPR
26. Joint controllers
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
8.1.1: Inventory of assets
ISO 27001

Criteria for high priority partners

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Connected other frameworks and requirements:
15.1.1: Information security policy for supplier relationships
ISO 27001
ID.BE-1: Role in supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF
5.19: Information security in supplier relationships
ISO 27001
7.2 (MIL1): Manage Third-Party Risk
C2M2

Definition of supplier-specific responsible persons

Critical
High
Normal
Low

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

Connected other frameworks and requirements:
8.1.2: Ownership of assets
ISO 27001
15.2.2: Managing changes to supplier services
ISO 27001
ID.SC-4: Audit suppliers and third-party partners
NIST CSF

Monitoring suppliers' compliance with security requirements

Critical
High
Normal
Low

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

  • monitoring the promised service level
  • reviewing supplier reports and arranging follow-up meetings
  • regular organization of independent audits
  • follow-up of problems identified in audits
  • more detailed investigation of security incidents and review of related documentation
  • review of the supplier's future plans (related to maintaining the service level)
Connected other frameworks and requirements:
32. Security of processing
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.GV-2: Cybersecurity role coordination
NIST CSF
ID.SC-1: Cyber supply chain
NIST CSF

Criteria for suppliers of high priority data systems

Critical
High
Normal
Low

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

  • ISO 27001 (information security management system)
  • SOC2 (general security, also called SSAE 16)
  • ISO 27701 (data protection management system)
  • ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
  • other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

Connected other frameworks and requirements:
14.1.1: Information security requirements analysis and specification
ISO 27001
15.1.1: Information security policy for supplier relationships
ISO 27001
15.2.1: Monitoring and review of supplier services
ISO 27001
ID.SC-1: Cyber supply chain
NIST CSF
ID.SC-4: Audit suppliers and third-party partners
NIST CSF
No items found.