Back

Include third party relationships in the analysis of the external environment.


CONTROL ID
12952
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze the external environment in which the organization operates., CC ID: 12799

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In considering the above, the Board would normally take into account the use of third parties and related parties (including group functions) by the APRA-regulated entity. (9., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The types of business relationships it has (e.g., joint ventures, suppliers, franchisees). (§ 1. Step 1. Business Relationships ¶ 1 Bullet 1, GRI 3: Material Topics 2021)
  • The nature of the business relationships (e.g., whether they are based on a long-term or short-term contract, whether they are based on a specific project or event). (§ 1. Step 1. Business Relationships ¶ 1 Bullet 3, GRI 3: Material Topics 2021)
  • The organization should consider the activities, business relationships, stakeholders, and sustainability context of all the entities it controls or has an interest in (e.g., subsidiaries, joint ventures, affiliates), including minority interests. (§ 1. Step 1. ¶ 2, GRI 3: Material Topics 2021)
  • Analyze influencing factors in the external context including: - Industry forces - Market - Technology - Societal - Regulatory and legal - Geopolitical - Environmental - Third-party relationships - External opportunities and threats (as part of SWOT (OCEG GRC Capability Model, v. 3.0, L1.1 Analyze the External Context, OCEG GRC Capability Model, v 3.0)
  • the nature and scope of business relations with third parties; (§ 4.1 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the nature and scope of business relations with third parties; (§ 4.1 ¶ 2 bullet 7, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • customers, partners and third parties; (§ 6.3.3 ¶ 3 Bullet 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • extent of outsourcing and external party arrangements used within the ISMS scope; (§ 7.2.1.2 e), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Map vulnerable populations and public and private health facilities (including traditional healers, pharmacies and other providers) and identify alternative facilities that may be used to provide treatment (Pillar 7 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • the interrelationship between the service organization and its subservice organizations and vendors, including the service organization's process for assessing and managing system risks associated with those subservice organizations and vendors; (¶ 3.59 Bullet 11 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading sample contracts with subservice organizations and associated performance or service-level agreements and other documentation to understand how the service organization's contracting process addresses security-related matters; the interrelationship between the service organization and its su… (¶ 3.50 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)