IT supplier relationships

Carry out information and cyber security risk assessments and due diligence checks to understand and mitigate risks prior to granting IT suppliers access to your organisation's networks and assets.

Conduct due diligence checks.
Group suppliers into different categories based on the nature of the service they provide.
Assign risk profiles to each group, taking into account the:

Options to consider:

Include appropriate information and cyber security requirements or clauses in contracts and ensure they are enforceable under the contract.
Conduct audits or reviews of information and cyber security arrangements on a periodic basis.

Keep a centralised log of all contracts and agreements to facilitate an easily review when required.
Dip sample current contracts to check they are valid, up-to-date and include correct security requirements.

Implement a policy that defines how you manage information and cyber security risks associated with using cloud services.
Complete information and cyber security risk assessments before using a cloud service.
Identify and document residual risks and ask management to accept them.
Adopt a shared responsibility model that clearly defines the responsibilities of both your organisation and the cloud service provider.
Obtain assurances from cloud service providers that their information and cyber security controls are sufficient.
Implement procedures for handling information security incidents that occur when using cloud services.
Include provisions for protecting personal information and the availability of services in contracts, such as access controls, malware monitoring, and backup services.
Document processes for changing or stopping the use of cloud services, including exit strategies and returning information, such as configuration files, source code and data?