Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-1-4 – The cybersecurity requirements for contracts and agreements with third-parties must be reviewed periodically.
Understanding the Requirement
This control requires organizations to treat third‑party cybersecurity clauses and contractual security requirements as living documents: they must be reviewed on a planned, documented schedule and whenever relevant laws, regulations, or business circumstances change. The goal is to make sure contracts continue to reflect current risk, incorporate new regulatory obligations, and remain enforceable — with clear evidence that reviews and any changes were approved by senior management.
Technical Implementation
-
Create a documented review plan and schedule.
Define who owns third‑party contract reviews (procurement lead, security owner, or delegated role), set a recurring interval (for example: high‑risk vendors every 6 months, medium risk annually, low risk every 24 months) and list triggers that force an out‑of‑cycle review (regulatory change, data breach, significant change to service scope, or contract renewal).
-
Maintain a contract clause and template library.
Develop standard security clauses and a contract template that cover minimum encryption, access control, logging, breach notification timelines, audit rights, subcontractor flow‑down, and data residency. Keep versioned templates so reviewers can compare old vs. new language during reviews.
-
Integrate review into procurement and contract lifecycle tools.
Put the security review step into your procurement workflow (checklist or contract lifecycle management tool). Require security sign‑off before signature and attach the latest approved security addendum to the executed contract.
-
Adopt a risk‑based review approach with monitoring.
Classify vendors by criticality and data sensitivity (e.g., PII/financial systems are high risk). For high‑risk vendors, require more frequent reviews and evidence such as recent security attestations (SOC 2, ISO 27001), penetration test results, or remediation plans. Use external threat feeds and supplier security questionnaires to detect changes that trigger reviews.
-
Document changes and obtain senior approval.
Record all review outcomes and contract changes in a central repository. Keep a change log showing what was modified, why, who approved it, and when. Ensure the head of the organization or an authorized deputy signs off on material changes as required by the control.
-
Automate reminders and evidence collection where possible.
Use calendar reminders or your contract management system to generate review tasks; attach supporting evidence (attestations, questionnaires, approval signatures) to each vendor record so audits can quickly demonstrate compliance.
Example in a Small or Medium Business
Acme Web Services is an SMB that uses several cloud platforms and two managed service providers. The company created a vendor review plan that classifies providers into high, medium and low risk based on access to customer data and criticality to operations. High‑risk vendors are scheduled for review every six months; medium risk annually. The procurement lead maintains a library of approved security clauses and uses a simple contract checklist that includes breach notification timelines, data encryption requirements, and audit rights. When a new data‑protection law was announced, the procurement lead ran an out‑of‑cycle review for affected vendors, updated the standard addendum, and documented each change in the contract repository. For each material change, the CEO (as head of the organization) or their deputy signs the approval record. Acme also requires high‑risk vendors to provide their latest security attestations and attaches those files to the vendor record so auditors can verify reviews were completed and approvals captured.
Summary
Meeting this control is a combination of policy and practical processes: adopt a documented review schedule, keep versioned contract clauses and templates, integrate security sign‑offs into procurement, prioritize vendors by risk, and record every review and approval. For SMBs these steps are scalable and do not require heavy tooling — a simple contract repository, a checklist workflow, and clear owner responsibilities will satisfy the control while keeping contractual security requirements current and auditable.
