Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-1-3 – The cybersecurity requirements for contracts and agreements with IT outsourcing and managed services third-parties must include at least the following:
Understanding the Requirement
This control requires that any contract or agreement with IT outsourcing and managed services providers explicitly include a baseline of cybersecurity requirements and mechanisms to enforce them. The two objectives listed (4-1-3-1 and 4-1-3-2) point to both defining minimum security clauses in contracts (e.g., data handling, access controls, incident reporting) and ensuring ongoing oversight and verification (e.g., monitoring, audits, compliance checks). For an SMB, that means turning security expectations into written, enforceable contract terms plus the processes to verify they are followed.
Technical Implementation
- Build a contract security checklist: Create a short standardized appendix or checklist that every outsourcing agreement uses. Items should include minimum authentication (MFA), least-privilege access, encryption for data at rest and in transit, data segregation, and approved subcontractor rules. Keep the checklist one page so it’s practical during negotiations.
- Define SLAs and reporting requirements: Require measurable security SLAs such as patching windows (e.g., critical patches within 7 days), vulnerability scan cadence, and SLA for security incident notification (e.g., notify within 24 hours of detection). Specify the format and cadence of security reports (monthly summary, quarterly posture review).
- Right-to-audit and attestations: Include a right-to-audit clause or require third-party attestations (SOC2, ISO 27001, or equivalent) and annual penetration testing reports. If a full audit is impractical, require the provider to supply recent scan/pen test results and remedial plans.
- Incident response and breach handling: Define notification timelines, roles, and responsibilities during an incident, including who leads communications with customers and regulators, required forensic access, and steps for containment and remediation. Require the provider to maintain an incident response plan and to run tabletop exercises annually.
- Data handling, portability and secure termination: Specify how customer data is stored, backed up, and returned or securely destroyed at contract end. Require encryption keys control rules and a documented data-deletion verification process.
- Operational controls and monitoring: Require logging and retention standards, access reviews (quarterly), privileged access management, and integration of alerts into your or a shared SOC. Define acceptable tools or APIs for evidence collection (e.g., access logs, change records).
Example in a Small or Medium Business
Acme Retail, a 75-employee company, hires an MSP to host its point-of-sale and back-office systems. Before signing, Acme uses a one-page security appendix that requires MFA for all administrative access, AES-256 encryption for customer data at rest, and TLS for data in transit. The contract mandates vendor-provided monthly vulnerability scan reports and an annual SOC2 Type II attestation. It also sets a 24-hour incident notification SLA and requires the MSP to preserve logs for 12 months and grant Acme the right to review them on request. During the first quarter, the MSP delivers the scan report and a remediation plan; Acme verifies remediation during a joint review. Six months later a phishing-related breach affects a sub-contractor; the MSP follows the incident timeline, notifies Acme within the SLA, shares forensic findings, and restores services after agreed containment steps. At contract renewal, Acme reviews the MSP’s performance against SLAs and decides to extend with a minor amendment that tightens privileged access reviews to occur monthly instead of quarterly.
Summary
Turning the control into practice means embedding clear, enforceable security clauses into every outsourcing agreement and pairing them with operational controls that let you verify compliance. A concise contract appendix, defined SLAs for patching and incident notification, rights-to-audit or attestations, logging and access controls, and data-return/destruction rules together give SMBs both the contractual leverage and technical evidence needed to manage third-party risk effectively. Regular reviews and simple verification steps keep the arrangement practical and maintainable for a small organization.
