A-6-2 External parties

Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

A.6.2.1 Identification of risks related to external parties

Control

The risks to the organization’s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access.

A.6.2.2 Addressing security when dealing with customers

Control

All identified security requirements shall be addressed before giving customers access to the organization’s information or assets.

A.6.2.3 Addressing security in third party agreements

Control

Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities shall cover all relevant security requirements.