A.10.2 Third party service delivery management

Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.

A.10.2.1 Service delivery

Control

It shall be ensured that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party.

A.10.2.2 Monitoring and review of third party services

Control

The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly.

A.10.2.3 Managing changes to third party services

Control

Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks.