>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SSO-01Policies and instructions for controlling and monitoring third parties

>Control Description

Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: • Requirements for the assessment of risks resulting from the procurement of third-party services; • Requirements for the classification of third parties based on the risk assessment by the Cloud Service Provider and the determination of whether the third party is a subcontractor (cf. Supplementary Information); • Information security requirements for the processing, storage or transmission of information by third parties based on recognised industry standards; • Information security awareness and training requirements for staff; • applicable legal and regulatory requirements; • Requirements for dealing with vulnerabilities, security incidents and malfunctions; • Specifications for the contractual agreement of these requirements; • Specifications for the monitoring of these requirements; and • Specifications for applying these requirements also to service providers used by the third parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service. Additional criteria: Subservice organisations of the Cloud Service Provider are contractually obliged to provide regular reports by independent auditors on the suitability of the design and operating effectiveness of their service-related internal control system. The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel.

Ask AI

Configure your API key to use AI features.