Cyber security in supplier relationships

Many public authorities and private companies opt to outsource all or parts of their IT operations to external suppliers. On the one hand, outsourcing can be a sensible decision, from a business point of view, in order to enable the organization to focus on its core business activities, ensure availability of specialized skills required to run the IT operations, free up resources for other purposes, etc. On the other hand, outsourcing also comes with significant risks that can impact adversely on the organization’s cyber and information security. For this reason, supplier management is a key element for any outsourcing organization to achieve an effective cyber defence.

This guide provides steps for organizations that plan to outsource their IT operations on how to manage cyber and information security in client-supplier relationships. The guide provides recommendations on how organizations can manage their cyber and information security risks during the various phases of an outsourcing process. Other aspects of the organization’s cooperation with the supplier such as procurement, tender and contract management are not included in this guide.