The right to verify compliance with security requirements is documented in contractual arrangements with service providers.
Topic
Contractual security requirements with service providers
Applicable to
all
History
Dec 2022
The right to verify compliance with security requirements is documented in contractual arrangements with service providers.
Language from existing controls relating to ‘contractual arrangements’ was amended to ‘contractual arrangements with service providers’.
Mar 2022
The right to verify compliance with security requirements is documented in contractual arrangements.
Due to the confusing use of audit terminology, references to ‘audited’ have been changed to ‘verified’. For example, an ICT equipment register is verified (rather than audited) on a regular basis. This will allow security personnel, or other suitable parties, to conduct such activities rather than having to rely on the use of an organisation’s internal auditors.
Jul 2020
The right to audit security controls associated with the protection of information and services is specified in contractual arrangements.
Security control 1571 was introduced to ensure a right to audit is included in contractual arrangements with service providers.