The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis.
Topic
Contractual security requirements with service providers
Applicable to
all
History
Dec 2022
The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis.
Language from existing controls relating to ‘contractual arrangements’ was amended to ‘contractual arrangements with service providers’.
Mar 2022
The right to verify compliance with security requirements documented in contractual arrangements is exercised on a regular and ongoing basis.
While some forms of outsourcing, such as the use of cloud services or systems provided by managed service providers, require a security assessment at regular points in time, such as every two years, this does not exempt outsourced services providers from being continually monitored for compliance with security requirements stipulated within contractual arrangements. In doing so, an organisation should regularly exercise their right to verify compliance with security requirements specified in contractual requirements in order to ensure compliance is being maintained between any regularly scheduled formal security assessments.