The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.
Topic
Contractual security requirements with service providers
Applicable to
all
History
Jun 2023
The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.
The existing control relating to minimum notification periods for changes to regions or availability zones for online services was merged into control ISM-1572 within the Guidelines for Procurement and Outsourcing. [ISM-1578]
Jun 2023
The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.
The existing control relating to the regions or availability zones where an organisation’s data will be processed, stored and communicated being documented in contractual arrangements with service providers was amended to include minimum notification periods for any configuration changes to those regions or availability zones.
Dec 2022
The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements with service providers.
Language from existing controls relating to ‘contractual arrangements’ was amended to ‘contractual arrangements with service providers’.
Jul 2020
The regions or availability zones where information will be processed, stored and communicated is documented in contractual arrangements.
Security control 1572 was introduced to ensure that regionsor availability zones for cloud services are documented in contractual arrangements.