A managed service register contains the following for each managed service: • managed service provider’s name • managed service’s name • purpose for using the managed service • sensitivity or classification of data involved • due date for the next security assessment of the managed service • contractual arrangements for the managed service • point of contact for users of the managed service • 24/7 contact details for the managed service provider.
Topic
Managed services
Applicable to
Non Classified, Official, Protected, Secret, Top Secret
History
Sep 2022
A managed service register contains the following for each managed service:
• managed service provider’s name
• managed service’s name
• purpose for using the managed service
• sensitivity or classification of data involved
• due date for the next security assessment of the managed service
• contractual arrangements for the managed service
• point of contact for users of the managed service
• 24/7 contact details for the managed service provider.
The existing control recommending 24/7 contact details be recorded for managed services and cloud services (ISM-1433) was merged into existing controls for managed service registers and cloud service registers.
Sep 2022
A managed service register contains the following for each managed service:
• managed service provider’s name
• managed service’s name
• purpose for using the managed service
• sensitivity or classification of data involved
• due date for the next security assessment of the managed service
• contractual arrangements for the managed service
• point of contact for users of the managed service
• 24/7 contact details for the managed service provider.
Existing controls were modified to ensure similar information is being recorded within managed service registers and cloud service registers. In addition, a new requirement was added to existing controls to ensure that copies of contractual arrangements for managed services and cloud services are kept with associated registers.
Mar 2022
A managed service register contains the following for each managed service:
• managed service provider’s name • purpose for using the managed service
• sensitivity or classification of data involved
• point of contact for users of the managed service
• point of contact for the managed service provider.
Managed service providers manage the services of an organisation on their behalf. This may include application services, authentication services, backup services, cloud services, desktop services, enterprise mobility services, gateway services, hosting services, network services, procurement services, security services, support services, and many other business-related services. In doing so, managed service providers may manage services from their customers’ premises or their own premises. In considering security risks associated with managed services, an organisation should consider all managed service providers that have access to their facilities, systems or data.