Back

Include performance standards in outsourcing contracts.


CONTROL ID
13140
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain outsourcing contracts., CC ID: 13124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • performance, operational, internal control and risk management standards; (5.5.2 (b), Guidelines on Outsourcing)
  • An institution should establish a structure for the management and control of its outsourcing arrangements. Such a structure will vary depending on the nature and extent of risks in the outsourcing arrangements. As relationships and interdependencies in respect of outsourcing arrangements increase i… (5.8.1, Guidelines on Outsourcing)
  • where impediments capable of altering the performance of the outsourced function are identified; (4.13.4 98(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • the right to agree on alternative assurance levels if other clients' rights are affected; (Art. 30.3. ¶ 1(e)(ii), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • control and monitoring of the external providers' performance to be applied by the organization; (8.4.3 ¶ 2(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Roles, responsibilities, and performance standards of the parties, including those related to the sale or lease of equipment needed for RDC at the customer location. (App A Tier 2 Objectives and Procedures N.5 Bullet 2 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Performance standards; (App A Tier 2 Objectives and Procedures O.4 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)