Essential Cybersecurity Controls (ECC – 2 : 2024) - 4-1-1
Cybersecurity Requirements For Contracts And Agreements With Third-parties Must Be Identified,
Documented And Approved.
Essential Cybersecurity Controls (ECC – 2 : 2024) - 4-1-2
- The cybersecurity requirements for contracts and agreements with third-parties (e.g., Service Level Agreement (SLA)) -which may affect, if impacted, the organization’s data or services- must include at least the following:
- Non-disclosure clauses and secure removal of organization’s data by third parties upon end of service.
- Communication procedures in case of cybersecurity incidents.
- Requirements for third-parties to comply with related organizational policies and procedures, laws and regulations.
Essential Cybersecurity Controls (ECC – 2 : 2024) - 4-1-3
- The cybersecurity requirements for contracts and agreements with IT outsourcing and managed services third-parties must include at least the following:
- Conducting a cybersecurity risk assessment to ensure the availability of risk mitigation controls before signing contracts and agreements or upon changes in related regulatory requirements.
- Cybersecurity managed services centers for monitoring and operations must be completely present inside the Kingdom of Saudi Arabia.
Essential Cybersecurity Controls (ECC – 2 : 2024) - 4-1-4
The Cybersecurity Requirements For Contracts And Agreements With Third-parties Must Be Reviewed
Periodically.