Back

Include the service levels for network services in the Service Level Agreement.


CONTROL ID
12024
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Service Level Agreement framework., CC ID: 00839

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Management of IT functions should ideally formulate a service level agreement with business units to cover system availability and performance requirements, capacity for growth, and the level of support provided to users. The responsible IT functions should ensure that adequate procedures are in pla… (5.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The FI should ensure that contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements. The requirements and conditions covered in the agreements would usually include performance targets, ser… (§ 5.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arr… (DS1.3 Service Level Agreements, CobiT, Version 4.1)
  • Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. (A.13.1.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. (§ 13.1.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. (§ 8.21 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)