15.4: Ensure Service Provider Contracts Include Security Requirements

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:


Info icon.

Control is new to this version of the control set.

Control Statement

Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]