Requirement:
The cybersecurity requirements for contracts and agreements with IT outsourcing and managed services third-parties must include at least the following:
Sub-Controls:
4-1-3-1:
Requirement:
Conducting a cybersecurity risk assessment to ensure the availability of risk mitigation controls before signing contracts and agreements or upon changes in related regulatory requirements.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements document and approve them by the representative, provided that they include the requirements of conducting a cybersecurity risk assessment, and ensuring that there is a guarantee to control those risks before signing contracts and agreements or in the event of changes in the relevant laws and regulations
- Conduct a third-party cybersecurity risk assessment by the organization in the following cases:
- Before the organization signs any contracts or agreements with third parties
- In the event of changes in relevant laws and regulations
Expected Deliverables:
- Cybersecurity policy that covers the requirements of contracts and agreements with third-parties (e.g., electronic copy or official hard copy)
- Sample of the third-party cyber risk assessment report before signing the contract or in the event of changes in relevant laws and regulations
4-1-3-2:
Requirement:
Cybersecurity managed services centers for monitoring and operations must be completely present inside the Kingdom of Saudi Arabia.
Control Implementation Guidelines:
- Define and document the requirements of this control in the cybersecurity requirements document and approve them by the representative, provided that they include the requirements for the managed operation and monitoring cybersecurity operations centers, which use remote access method, to be located within the Kingdom
- Ensure that Cybersecurity operation centers managed for operation and monitoring are located within the Kingdom
- Ensure that remote access to Cybersecurity operation centers managed for operation and monitoring is performed within the Kingdom
- Include a clause in the contract or service level agreement signed with the third party that obliges the third party to have operations centers for operating and monitoring cybersecurity services, which use remote access within the Kingdom
Expected Deliverables:
- Cybersecurity policy that covers the requirements of contracts and agreements with third-parties (e.g., electronic copy or official hard copy)
- A sample of the evidence of hosting or managing the cybersecurity operations center within the Kingdom (e.g., as an item of the signed contract or having a Service Level Agreement (SLA) signed between the third party and the organization)
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.