IT Service and Third Party Agreement Requirements
Source basis
Ported from reference/IT Service & 3rd Party Vendor Agreements.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.
Guidelines when reviewing / approving an IT Service or 3rd Party agreement.
| Clause | Purpose |
|---|---|
| Scope of Services | Clearly define what the provider will deliver, including any access to systems, networks, or data. |
| Information Security Requirements | Mandate compliance with your security policies, TISAX controls, and ISO/IEC 27001 principles. |
| Confidentiality and NDAs | Enforce protection of sensitive information, including after contract termination. |
| Data Protection (GDPR if applicable) | Require adherence to data protection laws; include a Data Processing Agreement (DPA) if handling personal data. |
| Access Control | Define access limitations, authentication requirements, and least privilege principles. |
| Incident Reporting | Require prompt notification of any security incidents, breaches, or data leaks - with specified timelines. |
| Subcontracting Restrictions | Prevent unauthorized use of subcontractors or require written approval and similar compliance. |
| Right to Audit / Review | Grant your company or its auditors the right to inspect the provider's controls or receive audit reports (e.g. ISO 27001, TISAX label). |
| Business Continuity & Disaster Recovery | Specify availability/recovery expectations if the vendor provides critical services. |
| Termination and Data Return/Destruction | Set procedures for secure return or destruction of data and revocation of access at contract end. |
| Security Awareness & Training | Require provider personnel to be aware of security responsibilities. |
| Liability for Breaches | Define accountability, including consequences for non-compliance or breaches. |