3.4.1 Contract and Vendor Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve, implement and monitor the required cyber security controls within the contract and vendor management processes.
Objective
To ensure that the Member Organization's approved cyber security requirements are appropriately addressed before signing the contract, and the compliance with the cyber security requirements is being monitored and evaluated during the contract life-cycle.
Control Considerations
| 1. | The cyber security requirements should be defined, approved, implemented and communicated within the contract and vendor management processes. | |
| 2. | The compliance with contract and vendor management process should be monitored. | |
| 3. | The effectiveness of the cyber security controls within the contract and vendor management process should be measured and periodically evaluated. | |
| 4. | These contract and vendor management processes should cover: | |
| a. | whether the involvement of the cyber security function is actively required (e.g., in case of due diligence); | |
| b. | the baseline cyber security requirements which should be applied in all cases; | |
| c. | the right to periodically perform cyber security reviews and audits. | |
| 5. | The contract management process should cover requirements for: | |
| a. | executing a cyber security risk assessment as part of the procurement process; | |
| b. | defining the specific cyber security requirements as part of the tender process; | |
| c. | evaluating the replies of potential vendors on the defined cyber security requirements; | |
| d. | testing of the agreed cyber security requirements (risk-based); | |
| e. | defining the communication or escalation process in case of cyber security incidents; | |
| f. | ensuring cyber security requirements are defined for exiting, terminating or renewing the contract (including escrow agreements if applicable); | |
| g. | defining a mutual confidentiality agreement. | |
| 6. | The vendor management process (i.e., service level management) should cover requirements for: | |
| a. | periodic reporting, reviewing and evaluating the contractually agreed cyber security requirements (in SLAs). | |