Topic

Contractual security requirements with service providers

Applicable to

all

History

Priority

must

Dec 2022

The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers.

Language from existing controls relating to ‘contractual arrangements’ was amended to ‘contractual arrangements with service providers’.

Sep 2022

The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements.

The existing control recommending that service providers notify their customers of cyber security incidents was extended to recommend that such requirements be documented in contractual arrangements.

Jul 2020

Service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.

Security control 0141 was amended to ensure consistency of language with similar security controls.

Jun 2020

When organisations use outsourced information technology or cloud services, their service providers report all cyber security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered.

2015

Agencies that outsource their information technology services and functions must ensure thatthe service provider consults with the agency when a cyber security incident occurs.

2010

Agencies that outsource their information technology services and functions must ensure the serviceprovider consults with the agency when a cyber security incident occurs.

2008

Agencies who outsource the ICT security functionality for a system to a service provider should ensure that the service provider consults with the agency when a significant, or non-significant, ICT security incident occurs.