Requirement

6.1: Security in acquisition of ICT services or ICT products

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

1. For the purpose of Article 21(2), point (e) of Directive (EU) 2022/2555, the relevant entities shall set and implement processes to manage risks stemming from the acquisition of ICT services or ICT products for components that are critical for the relevant entities’ security of network and information systems, based on the risk assessment carried out pursuant to point 2.1, from suppliers or service providers throughout their life cycle.

2. For the purpose of point 6.1.1, the processes referred to in point 6.1.1 shall include:

security requirements to apply to the ICT services or ICT products to be acquired;
requirements regarding security updates throughout the entire lifetime of the ICT services or ICT products, or replacement after the end of the support period;
information describing the hardware and software components used in the ICT services or ICT products;
information describing the implemented cybersecurity functions of the ICT services or ICT products and the configuration required for their secure operation;
assurance that the ICT services or ICT products comply with the security requirements according to point (a);
methods for validating that the delivered ICT services or ICT products are compliant to the stated security requirements, as well as documentation of the results of the validation.

3. The relevant entities shall review and, where appropriate, update the processes at planned intervals and when significant incidents occur.

Fulfill this requirement by completing the tasks below ->

This requirement is part of the framework:

NIS2 Implementing Regulation

Other requirements of the framework

6.1: Security in acquisition of ICT services or ICT products

Best practices

How to implement:

6.1: Security in acquisition of ICT services or ICT products

This policy on

6.1: Security in acquisition of ICT services or ICT products

provides a set concrete tasks you can complete to secure this topic. Follow these best practices to ensure compliance and strengthen your overall security posture.

2. For the purpose of point 6.1.1, the processes referred to in point 6.1.1 shall include:

security requirements to apply to the ICT services or ICT products to be acquired;
requirements regarding security updates throughout the entire lifetime of the ICT services or ICT products, or replacement after the end of the support period;
information describing the hardware and software components used in the ICT services or ICT products;
information describing the implemented cybersecurity functions of the ICT services or ICT products and the configuration required for their secure operation;
assurance that the ICT services or ICT products comply with the security requirements according to point (a);
methods for validating that the delivered ICT services or ICT products are compliant to the stated security requirements, as well as documentation of the results of the validation.

3. The relevant entities shall review and, where appropriate, update the processes at planned intervals and when significant incidents occur.

Read below what concrete actions you can take to improve this ->

Frameworks that include requirements for this topic:

No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to

6.1: Security in acquisition of ICT services or ICT products

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

No other tasks found.

Complete these tasks in Cyberday ISMS ->

How to comply with this requirement

In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.

Here's a list of tasks that help you comply with the requirement

6.1: Security in acquisition of ICT services or ICT products

of the framework

NIS2 Implementing Regulation

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

General rules for the procurement of data systems

Critical

High

Normal

Low

System management

Data system procurement

General rules for the procurement of data systems

This task helps you comply with the following requirements

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava NIS2 Croatia

4.2: Tietojärjestelmien hankinnat TiHL tietoturvavaatimukset

9.3 §: Tietojärjestelmien hankinta ja kehittäminen Kyberturvallisuuslaki

5.3.1: Information Security in new systems TISAX

13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus TiHL

Risk assessment for new acquisitions

Critical

High

Normal

Low

Risk management and leadership

Risk management

Risk assessment for new acquisitions

This task helps you comply with the following requirements

§ 9-4.1: Myndighet til å fatte vedtak ved anskaffelser til skjermingsverdig informasjonssystem, objekt og infrastruktur Sikkerhetsloven

§ 27: Risikovurdering Energisektor beredskabsbekendtgørelse

6.1: Security in acquisition of ICT services or ICT products NIS2 Guide

Management of procurement and use of external IT services

Critical

High

Normal

Low

Partner management

Agreements and monitoring

Management of procurement and use of external IT services

This task helps you comply with the following requirements

1.3.3: Use of approved external IT services TISAX

15.4: Ensure Service Provider Contracts Include Security Requirements CIS 18

§ 9-4.1: Myndighet til å fatte vedtak ved anskaffelser til skjermingsverdig informasjonssystem, objekt og infrastruktur Sikkerhetsloven

6.1: Security in acquisition of ICT services or ICT products NIS2 Guide

Criteria for suppliers of high priority data systems

Critical

High

Normal

Low

System management

Data system procurement

Criteria for suppliers of high priority data systems

This task helps you comply with the following requirements

Članak 30.1.d: Sigurnost lanca opskrbe NIS2 Croatia

9.4 §: Toimitusketjun hallinta ja valvonta Kyberturvallisuuslaki

1.3.3: Use of approved external IT services TISAX

6.1.1: Partner Information security TISAX

30 § 3.4°: La sécurité de la chaîne d'approvisionnement NIS2 Belgium

Security rules for the development and acquisition of data systems

Critical

High

Normal

Low

System management

Data system procurement

Security rules for the development and acquisition of data systems

This task helps you comply with the following requirements

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava NIS2 Croatia

4.2: Tietojärjestelmien hankinnat TiHL tietoturvavaatimukset

9.3 §: Tietojärjestelmien hankinta ja kehittäminen Kyberturvallisuuslaki

5.3.1: Information Security in new systems TISAX

13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus TiHL

Change management procedure for significant changes to data processing services

Critical

High

Normal

Low

Development and cloud

Secure development

Change management procedure for significant changes to data processing services

This task helps you comply with the following requirements

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava NIS2 Croatia

9.3 §: Tietojärjestelmien hankinta ja kehittäminen Kyberturvallisuuslaki

5.2.1: Change management TISAX

5.3.1: Information Security in new systems TISAX

30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information NIS2 Belgium

Comprehensiveness of contractual terms for cloud service provisioning

Critical

High

Normal

Low

System management

Data system procurement

Comprehensiveness of contractual terms for cloud service provisioning

This task helps you comply with the following requirements

5.23: Information security for use of cloud services ISO 27001

21.2.e: Secure system acquisition and development NIS2

30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information NIS2 Belgium

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava NIS2 Croatia

14.5.6): Tinklų ir informacinių sistemų saugumą NIS2 Lithuania

Phasing out outdated ICT products

Critical

High

Normal

Low

System management

Data system management

Phasing out outdated ICT products

This task helps you comply with the following requirements

2.1.2: Procure modern and up-to-date hardware and software NSM ICT-SP

2.3.8: Do not deactivate exploit protection functions NSM ICT-SP

Article 34: ICT operations security DORA simplified RMF

6.1: Security in acquisition of ICT services or ICT products NIS2 Guide

Requiring a system description from suppliers of important information systems to be acquired

Critical

High

Normal

Low

System management

Data system procurement

Requiring a system description from suppliers of important information systems to be acquired

This task helps you comply with the following requirements

HAL-16: Hankintojen turvallisuus Julkri

21.2.e: Secure system acquisition and development NIS2

2.1.1: Include security in the organisation’s procurement process NSM ICT-SP

2.1.10: Review the service provider’s security when outsourcing NSM ICT-SP

30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information NIS2 Belgium

Complete these tasks in Cyberday ISMS ->

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.