Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-1-2 – The cybersecurity requirements for contracts and agreements with third-parties (e.g., Service Level Agreement (SLA)) -which may affect, if impacted, the organization's data or services- must include at least the following:
Understanding the Requirement
This control requires that any contract or SLA with third-party providers include clear, enforceable cybersecurity requirements that protect the organization's data and services. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the control expects vendors to meet defined security expectations and gives the organization rights and remedies when those expectations are not met. The three objectives (4-1-2-1, 4-1-2-2 and 4-1-2-3) together imply: define what assets/data are affected, specify minimum security and operational controls (including incident handling), and establish audit/assurance and contractual enforcement mechanisms.
Technical Implementation
- Inventory and scoping clause: Include a contractual clause that lists the systems, data types, and services covered (e.g., customer PII, backups, authentication systems). Require the vendor to keep a current subprocessor list and notify you of changes within a defined timeframe (e.g., 10 business days).
- Minimum security requirements: Require specific security controls such as encryption at rest and in transit (AES-256/TLS 1.2+), MFA for administrative access, role-based access control, regular vulnerability scanning, and timely patching (e.g., critical patches within 14 days).
- Incident detection and notification: Define incident reporting timelines (for SMBs a practical requirement is initial notification within 24 hours of detection and a detailed report within 72 hours), required log retention periods (e.g., 90 days), and a requirement to preserve forensic data until the investigation is complete.
- Service levels and recoverability: Include uptime targets and measurable recovery objectives (RTO/RPO), backup frequency and retention, and proof-of-test clauses (e.g., annual disaster recovery test with summary results delivered to the customer).
- Assurance and audit rights: Require periodic security attestations such as SOC 2/ISO 27001 reports or third-party penetration test summaries, and include the right to audit or obtain audit reports. For SMBs that can't perform full audits, require vendor-provided evidence and a remediation timeline for findings.
- Data handling and termination: Specify data processing rules (purpose, minimization), data residency/location if relevant, and clear data return/secure deletion procedures upon contract termination with certification of deletion within a set window (e.g., 30 days).
Example in a Small or Medium Business
AcmeCo is a 50-person marketing agency that stores client contact lists and campaign analytics in a cloud CRM provided by VendorX. When negotiating the SLA, AcmeCo adds a scoping clause that explicitly names the client PII fields and analytics datasets covered. The contract requires VendorX to use encryption in transit and at rest, enforce MFA for any administrative users, and provide monthly vulnerability scan summaries. AcmeCo also includes an incident notification clause requiring VendorX to alert them within 24 hours of any suspected breach and to provide a root-cause analysis within 72 hours. VendorX must deliver an annual third-party security attestation and allow a desk-based compliance review when requested. Finally, the SLA defines an RTO of 4 hours for critical outages, backup retention of 90 days, and a certified data deletion process within 30 days of contract termination. This combination of clear scope, technical controls, notification timelines, and assurance rights lets AcmeCo manage risk without running full internal audits.
Summary
By embedding clear scope, minimum technical controls, incident response and notification obligations, measurable service levels, and assurance/audit rights into third-party contracts and SLAs, SMBs can ensure vendors are accountable for protecting data and services. Practical, specific clauses (encryption, MFA, patch timelines, notification windows, RTO/RPO, and evidence of compliance) turn policy into enforceable obligations and give SMBs the information and contractual remedies they need to reduce supply-chain risk.
