Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts.

CONTROL ID
06890

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

There are no implementation support Controls.

When financial institutions conclude contracts with contractors, the contracts must include provisions on the protection of corporate secrets and reliable system operation in order to ensure that the entrusted operations are securely performed. It is also possible to conclude a non- disclosure agree… (C21.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
The user requirement specifications should be understood and agreed upon by the user and the supplier, with a clear distinction between the mandatory regulatory requirements and the optional features. (¶ 9.3 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
Additional, specialized controls should be identified for each external supplier to meet particular business and security requirements (e.g., as a result of a business relationship assessment, an information risk assessment, legal or regulatory requirements, or contractual arrangements). (CF.16.01.05a, The Standard of Good Practice for Information Security)
The organization shall provide the supplier with all the data it needs. (§ 6.1.1.3(d)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)