Monitoring, review and change management of supplier services

The organization has defined the certifications or standards required of key partners. Commonly recognized standards related to cyber security include:

• ISO 27001 (information security management system)
• SOC2 (general security, also called SSAE 16)
• ISO 27701 (data protection management system)
• ISO 27017 (cyber security in cloud services) or ISO 27018 (data protection in cloud services)
• other popular e.g. NIST (general), CSA (cloud software), PCI DSS (card payments and data)

Certifications required from partners can make organization's own partner management more efficient and provide good evidence of a particular level of security or privacy of the partner.

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

• required security-related technologies such as authentication, encryption technology, and network connection management tools
• the technical parameters required for a secure connection to network services
• online service usage criteria that restrict access to the online service or applications as needed

A designated responsible person actively monitors the supplier's activities and services to ensure compliance with the security terms of the contracts and the proper management of security incidents.

Monitoring includes the following:

• monitoring the promised service level
• reviewing supplier reports and arranging follow-up meetings
• regular organization of independent audits
• follow-up of problems identified in audits
• more detailed investigation of security incidents and review of related documentation
• review of the supplier's future plans (related to maintaining the service level)