Article 4 | (Screening of Information Service Suppliers)
- An organization shall assess the operational capability of an information service supplier, adopt appropriate risk control measures, ensure outsourcing quality, and pay attention to appropriatelydiversifyinformation service suppliersto control operational risk. If there are doubts about overconcentration (including reliance on a single information service supplierby the organization or the market as a whole), the risk assessment shall be conducted in the selection of information service suppliers, and the results of the assessment shall be reported to the rank of general manager for approval.
- The standards for the selection of information service suppliers by an organization shall comprise the following and be documented and recorded for reference:
- Financial capability, management capability, professionalism, maintenance and operation capability, and track records of the information service supplier.
- A cloud computing service supplier shall have in place sound cloud computing information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., CSA STAR, ISO 27017, ISO 27018).
- An information service supplier of a type 1 organization shall have in place sound information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., ISO 27001).
|
|