Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.
Topic
Contractual security requirements with service providers
Applicable to
all
History
Priority
must
Dec 2022
Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.
Language from existing controls relating to ‘contractual arrangements’ was amended to ‘contractual arrangements with service providers’.
Sep 2022
Security requirements associated with the confidentiality, integrity and availability of data entrusted to a service provider are documented in contractual arrangements and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.
The existing control recommending that security requirements be documented in contractual arrangements with service providers was extended to recommend that such requirements be reviewed on a regular and ongoing basis to ensure they remain fit for purpose.
Jul 2020
Security requirements associated with the confidentiality, integrity and availability of information entrusted to a service provider are documented in contractual arrangements.
Security control 0072 was amended to specify that confidentiality, integrity and availability requirements for information are specified in contractual arrangements rather than a memorandum of understanding.
Jun 2020
Any security controls associated with the protection of information entrusted to a service provider are documented in contract provisions, a memorandum of understanding or an equivalent formal agreement between parties.
2015
Any measures associated with the protection of information entrusted to another party mustbe documented in contract provisions, a memorandum of understanding or equivalent formalagreement between parties.
2010
Agencies must ensure that a third party is aware of its security requirements by defining requirementsin such documentation as:• contract provisions• a memorandum of understanding.
2008
An agency must ensure a third party is aware of the agency’s ICT security expectations by defining expectations in: a. contract provisions b. a memorandum of understanding or c. a non-disclosure agreement.