Supplier And Service

Provider Governance

Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney

Management Of IT Suppliers And Service Providers

Management of IT suppliers and service providers relates to

the operation aspects of the sourcing relationship after the
selection process

Involves the monitoring and measurement of IT suppliers and

service providers performance and the organisations
performance in handling suppliers and service providers

Involves the management of risks associated with the

organisations use of suppliers and service providers

Concerned here with the initial and ongoing supplier/service

provider approach to audit, validation and assessment to
reduce risk to the sourcing organisation
Not the validation of the functionality of the specific solution or service
February 9, 2016

IT Supplier And Service Provider Acquisition And

Management

The IT function is becoming largely a manager of suppliers and service

providers across a wide range of products, solutions and services
When products and services are outsourced, the risks of the suppliers and
service providers are inherited by the acquiring organisation
Effective supplier selection and ongoing assessment, validation and
management is an important skill for the IT function
Adopting a structured, repeatable, easily implemented and operated
approach to this should be considered by the IT function
Reduce the costs (and the risks) of poor supplier and service provider
selection and service delivery and improve the quality of service delivery
Ensure better control of assets and resources
Support and enable collaboration with and innovation by suppliers and
service providers where appropriate
Vendor governance during the life of the sourcing arrangement is crucial
Sourcing should not be a fire and forget activity
February 9, 2016

IT Function Facilitates The Selection Of Suppliers

And Service Providers To Meet Business Needs
IT
Function

Suppliers
And
Service
Providers

Business
Functions

IT Needs To
Focus The
Business
Needs For
Services on
Appropriate
Suppliers

IT Mediates Between the

Business and the Supplier
Ecosystem, Acting as a Lens
Focussing Business Needs on
Appropriate Suppliers
February 9, 2016

IT Function As Mediator, Facilitator And

Intermediary
I Want A
Solution/
Service

I Understand Your Needs

And Will Select An
Appropriate Supplier/
Service Provider

Delivery
Supplier/ Service
Provider Selected

IT
Function

I Manage The
Supplier/ Service
Providers Delivery Of
Solution/ Service
February 9, 2016

Spectrum Of Sourcing And Service Supply

Arrangements
Potential Duration of Sourcing And Service Supply Arrangement
Product Supply
Support and Maintenance
Consulting
Installation and Customisation

Service Provision/xSourcing
Externally Hosted Service/Cloud/xaaS
February 9, 2016

Key Activities During Sourcing

Sourcing Strategy
Management
Governance
Management
Relationship
Management
Value Management
Organisational
Change Management
Sourcing Planning

People Management

Service Provider
Evaluation

Knowledge
Management

Sourcing Opportunity
Analysis

Sourcing Agreement

Technology
Management

Sourcing Approach

Service Transfer

Analysis and
Identification

Initiation/
Transition

February 9, 2016

Sourced Services
Management

Threat Management

Service Delivery

Service Delivery
Management and
Governance

Sourcing Completion/
Handover

Completion

Activities During Sourcing

Full set of possible activities to be performed during the

management and governance of a sourcing engagement

Actual set of activities will depend on the profile of the

sourcing engagement

February 9, 2016

IT Supplier And Service Provider Acquisition And

Management Key Focus Areas And Competencies
Sourcing Strategy And
Objectives Definition

Sourcing Governance
Definition

Opportunity Identification And

Business Engagement

Sourcing Procedure And

Process Definition

Solution/Service And
Supplier/Service Provider
Evaluation Factors

Organisation Change

Sourcing Template
Creation

Supplier And Service Provider

Identification, Evaluation And
Selection

Supplier And Service Provider Integration

Sourcing Measurement
And Monitoring
Definition

Contract Definition,
Negotiation And Closing

Transition And Transformation

Supplier And Service Provider Engagement And Service Delivery

Order Management

Contract
Management

Supplier And Service

Provider Assessment
and Management

Performance
Monitoring And
Measurement

Service Improvement

Supplier And Service

Provider Risk
Management

Sourcing Termination/Transfer To Different Supplier And Service Provider

Sourcing Strategy Evaluation And Update

February 9, 2016

IT Supplier And Service Provider Acquisition And

Management Key Focus Areas And Competencies

Sets of skills the IT function needs to be good at to deliver

on effective sourcing and acquisition

Not all focus areas apply to all supplier and service

provider types and types of sourcing relationship

February 9, 2016

10

IT Supplier And Service Provider Acquisition And

Management Assessment, Measurement And Validation
Areas
Sourcing Strategy And
Objectives Definition

Sourcing Governance
Definition

Opportunity Identification And

Business Engagement

Sourcing Procedure And

Process Definition

Solution/Service And
Supplier/Service Provider
Evaluation Factors

Organisation Change

Sourcing Template
Creation

Supplier And Service Provider

Identification, Evaluation And
Selection

Supplier And Service Provider Integration

Sourcing Measurement
And Monitoring
Definition

Contract Definition,
Negotiation And Closing

Transition And Transformation

Supplier And Service Provider Engagement And Service Delivery

Order Management

Contract
Management

Supplier And Service

Provider Assessment
and Management

Performance
Monitoring And
Measurement

Service Improvement

Supplier And Service

Provider Risk
Management

Sourcing Termination/Transfer To Different Supplier And Service Provider

Sourcing Strategy Evaluation And Update

February 9, 2016

11

IT Supplier And Service Provider Acquisition And

Management Assessment, Measurement And Validation
Areas

Assessment, measurement and validation involves both

general solution/service provider and specific
service/solution specific assessments

General solution/service provider assessment and

validation used to identify and reduce risk

Assessment and measurement comprises:

Definition of approach
Implementation and operation

February 9, 2016

12

IT Supplier And Service Provider Acquisition And

Management Assessment, Measurement And Validation
Areas

Sourcing Measurement And Monitoring Definition define

approaches to assessing different types suppliers and service
providers and types of solution and service
Solution/Service And Supplier/Service Provider Evaluation
Factors define solution/service specific evaluation factors
Supplier And Service Provider Identification, Evaluation And
Selection - apply solution/service specific evaluation factors to
evaluate vendors and their solutions/services and apply general
vendor assessment
Supplier And Service Provider Assessment and Management
ongoing solution and service provider assessment and
validation
Performance Monitoring And Measurement measure
delivery of specific solution/service according to defined and
agreed values
February 9, 2016

13

Assessment, Measurement And Validation

Throughout Selection And Delivery
Define
Solution
Specific

Assessment/
Validation

Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016

Implement and
Operate

Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors

Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors

Define Supplier/ Service

Evaluate and Score Supplier/
Provider Specific Evaluation Service Provider Using
Factors
Defined Evaluation Factors
Define Supplier/ Service
Provider Specific
Performance Measurement
Factors

Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
14

Concerned Here With Common Framework For

Supplier/Service Provider Validation
Define
Solution
Specific

Assessment/
Validation

Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016

Implement and
Operate

Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors

Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors

Define Supplier/ Service

Provider Specific
Evaluation Factors

Evaluate and Score

Supplier/ Service Provider
Using Defined Evaluation
Factors
Define Supplier/ Service
Measure Delivery Of
Provider Specific
Supplier/ Service Provider
Performance Measurement Using Defined Evaluation
Factors
Factors
15

Operation Of A Service
Service Users

Service
Delivery

Internal
Operation of
Service

Service
Provider

Measurement of
Service Delivery
February 9, 2016

16

Operation Of A Service

Acquiring organisation should not be concerned with the

internals of the service - only with the results and
outcomes

Acquiring organisation should be concerned with and

measure the delivery of the service using agreed
performance gauges

Acquiring organisation should audit the service provider to

assess risks

February 9, 2016

17

Supplier Validation During Sourcing And Service

Delivery
Analysis and
Identification

Initiation/
Transition

Service Delivery

Service Delivery
Management and
Governance

Completion

Initial Supplier Validation

Regular Supplier Re-validation

Supplier validation should be performed initially during

supplier transition and regularly thereafter during the life of
the sourcing arrangement
Audit the controls put in place supplier/ service provider and
the operation to reduce the risk to the sourcing organisation
February 9, 2016

18

Components Of An Operational Sourced Solution

Operational Solution
Software

February 9, 2016

Infrastructure

Information
and Data

Use,
Operational,
Support and
Management
Teams

Operation
and Support
Processes and
Services

19

Components Of A Operational Sourced Solution

Concerned here with the operational solution after it is

has been implemented:
Software packaged and custom applications that either run or
support the operation and use of the applications
Infrastructure physical facilities on which the solution software
runs or which enable it to run
Information and Data information supplied to or generated by
and stored by the solution application components
Use, Operational, Support and Management Teams set of
services and personnel involved in the use, operation and
management of the solution or service
Operation and Support Processes and Services the set of
manual and automated processes related to the use, operation
and management of the solution or service
February 9, 2016

20

Supplier And Service Provider Validation

Supplier should expects regular validation and auditing

during the lifetime of the sourcing activity

February 9, 2016

21

Vendor Assessment Depends On The Type Of

Product/Service

The amount of effort spent on validating suppliers and

service providers should be based on the size, cost,
importance and type of product/service being provided

February 9, 2016

22

Key Dimensions Of Solution/Service

Availability Of Skills
And Experience
With Product/
Service

Split Between
Product And
Service

Extent Of
Customisation

Implementation/
Transition Effort
And Time

Security,
Performance,
Reliability,
Availability
Requirements Of
Product/ Service

Complexity Of
Product/ Service

Type Of
Engagement

Solution/
Service
Factors

Novelty Of
Product/ Service

Importance of
Product/ Service

Expected/
Contracted Cost
Experience And
Proven Ability Of
Supplier

February 9, 2016

Expected Duration
Of Business
Relationship

Size/ Extent Of
Product/ Service

23

Key Dimensions Of Solution/Service

Dimensions affect how the supplier/service provided should be validated set of risk
factors that dictate the level of supplier governance necessary

Split Between Product And Service mix between pure product and services
Extent Of Customisation
Type Of Engagement consulting/ analysis/ implementation and mix of services of these types
Expected Duration Of Business Relationship how long with the service be provided for or is contracted
for
Importance of Product/ Service sensitivity and importance of product/service to the organisation
Expected/ Contracted Cost how much the product/service is expected to cost or the contracted cost
Size/ Extent Of Product/ Service the amount of effort and the number of parties and stakeholders
involved in or affected by the product/service
Experience And Proven Ability Of Supplier how experienced is the supplier in successfully delivering
the product/service
Novelty Of Product/ Service how new or well-proven is the underlying technology and approach of the
product/service
Complexity Of Product/ Service how complex is the product/service number of components and
interfaces
Security, Performance, Reliability, Availability Requirements Of Product/ Service are there specific
requirements of the product/service in these areas
Implementation/ Transition Effort And Time what is the estimated or expected effort and time to
implement or transition to the product/service
Availability Of Skills And Experience With Product/ Service how readily available are skills within the
organisation

February 9, 2016

24

Profiling The Solution/Service Governance

Requirements
Degree of
Validation
and
Governance
Required

February 9, 2016

25

Profiling The Solution/Service Governance

Requirements

More complex, costly, lengthy solutions/services require

greater governance

February 9, 2016

26

Approaches To Supplier And Service Provider

Validation

ITIL service delivery management framework

COBIT framework for governance and management of

the IT function

Service Organisation Controls audit approach to supplier

and service provider validation

CMMI eSourcing Capability Model for Client

Organisations (eSCM-CL) capability model for
organisations that acquire IT services

February 9, 2016

27

ITIL Process Structure

Service Management
Service Strategy

Service Design

Service Transition

Service Operation

Continual Service
Improvement

Service Portfolio
Management

Service Catalogue
Management

Change Management

Event Management

Service Evaluation

Financial Management

Service Level Management

Project Management
(Transition Planning and
Support)

Incident Management

Process Evaluation

Risk Management

Release and Deployment

Management

Request Fulfilment

Definition of CSI Initiatives

Capacity Management

Service Validation and

Testing

Access Management

CSI Monitoring

Availability Management

Application Development
and Customisation

Problem Management

IT Service Continuity
Management

Service Asset and

Configuration Management

IT Operations Management

IT Security Management

Knowledge Management

IT Facilities Management

Compliance Management
IT Architecture
Management
Supplier Management
February 9, 2016

28

ITIL Process Structure

ITIL is concerned with the set of processes that may be

implemented by the service provider to deliver the
contracted services

In the context of service provision, these are used by the

service provider and not by the acquiring organisation

Service provider should measure its own service

performance

February 9, 2016

29

Service Organisation Controls

Service Organisation Controls (SOC) originally related to auditing of

financial transactions performed by third-parties and the controls in
place
Work designed to performed by the organisations external auditors
Extended to cover the operation of the service and its compliance
with security, availability, reliability, confidentiality and privacy
Three reports:
SOC 1 statement of financial controls only
SOC 2 detailed report for internal use
SOC 3 version of SOC2 designed to be published

Two report types:

Type 1 description of the controls in place at a point in time
Type 2 describes the validation tests performed and their results with
historical analysis
February 9, 2016

30

Service Organisation Controls History And

Evolution

1993 Statement on Auditing Standards (SAS) No. 70, Service

Organizations
2008 Trust Services Principles and Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
2010 Standards for Attestation Engagements (SSAE) 16,
Reporting on Controls at a Service Organization
2011 International Auditing and Assurance Standards Board
(IAASB) issued International Standard on Assurance
Engagements (ISAE) 3402, Assurance Reports on Controls at a
Service Organization
2015 Updated Trust Services Principles and Criteria for
Security, Availability, Processing Integrity, Confidentiality, and
Privacy
February 9, 2016

31

Service Organisation Controls

This approach can be adapted and used internally by the IT

function to perform initial and regular subsequent audits
of suppliers

February 9, 2016

32

Service Organisation Controls Structure

Service
Organisation
Controls

Common Controls

Security

Organisation and
Management

Communications

Risk Management
and Design and
Implementation of
Controls

Monitoring of
Controls

Logical and Physical

Access Controls

System Operations

Availability

Processing Integrity

Confidentiality

Privacy

Change
Management

February 9, 2016

33

Service Organisation Controls Structure

Set of common controls to be applied across the areas of

Security, Availability, Processing Integrity and
Confidentiality

Privacy controls can be separated

Individual sets of controls defined for the areas of Security,

Availability, Processing Integrity and Confidentiality

53 controls in total across all topics

February 9, 2016

34

Common Controls Organisation and Management

No Control
1

The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for
the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to
meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and
approving the Service Provider/Suppliers Solution/Service controls are assigned to individuals within the Service
Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated
and placed in operation.
Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the
Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources
to fulfil their responsibilities.
The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate
background screening procedures and conducts enforcement procedures to enable it to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

February 9, 2016

35

Common Controls Communications

No Control
1

Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and
communicated to authorised internal and external Solution/Service users to permit users to understand their role in the
Solution/Service and the results of Solution/Service operation.
The Service Provider/Suppliers Security/Availability/Processing Integrity/Confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the associated Solution/Service
requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.
The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles
affect Solution/Service operation.
Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and
monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service
have the information necessary to carry out those responsibilities.
Internal and external Solution/Service users have been provided with information on how to report
Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to
appropriate personnel.
Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service
Provider/Suppliers commitments and requirements relevant to Security/Availability/Processing
Integrity/Confidentiality are communicated to those users in a timely manner.

February 9, 2016

36

Common Controls Risk Management And Design

And Implementation Of Controls
No Control
1

2
3

The Service Provider/Supplier:

1 - Identifies potential threats that would impair Solution/Services Security/Availability/Processing
Integrity/Confidentiality commitments and requirements
2 - Analyses the significance of risks associated with the identified threats
3 - Determines mitigation strategies for those risks (including controls and other mitigation strategies).
The Service Provider/Supplier designs, develops, and implements controls, including policies and procedures, to
implement its risk mitigation strategy.
The Service Provider/Supplier:
1 - Identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could
significantly affect the Solution/Service of internal control for Security/Availability/Processing
Integrity/Confidentiality and reassesses risks and mitigation strategies based on the changes
2 - Reassesses the suitability of the design and deployment of control activities based on the operation and
monitoring of those activities, and updates them as necessary.

February 9, 2016

37

Common Controls Monitoring Of Controls

Number Control
1

The design and operating effectiveness of controls are periodically evaluated against
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other
necessary actions relating to identified deficiencies are taken in a timely manner.

February 9, 2016

38

Common Controls Logical And Physical Access

Controls
No Control
1

3
4

6
7

Logical access security software, infrastructure, and architectures have been implemented to support:
1 - Identification and authentication of authorised users
2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by
management, including hardware, data, software, mobile devices, output, and offline elements
3 - Prevention and detection of unauthorised access.
New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service
credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when
user access is no longer authorised.
Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service
components (for example, infrastructure, software, and data).
Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles,
responsibilities, or the Solution/Service design and changes to them.
Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other
sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised
personnel.
Logical access security measures have been implemented to protect against Security/Availability/Processing
Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.
The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected
during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious
software.
February 9, 2016

39

Common Controls System Operations

No Control
1

Vulnerabilities of Solution/Service components to Security/Availability/Processing Integrity/Confidentiality breaches

and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are
implemented to compensate for known and new vulnerabilities.
Security/Availability/Processing Integrity/Confidentiality incidents, including logical and physical security breaches,
failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance
with established incident response procedures.

February 9, 2016

40

Common Controls Change Management

No Control
1

2
3
4

Security/Availability/Processing Integrity/Confidentiality commitments and requirements, are addressed, during the

Solution/Service implementation lifecycle including design, acquisition, implementation, configuration, testing,
modification, and maintenance of Solution/Service components.
Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the Solution/Service
commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are
identified during Solution/Service operation and monitoring.
Changes to Solution/Service components are authorised, designed, developed, configured, documented, tested,
approved, and implemented in accordance with Security/Availability/Processing Integrity/Confidentiality commitments
and requirements.

February 9, 2016

41

Availability Controls
No Control
1
2
3

Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the
implementation of additional capacity to help meet availability commitments and requirements.
Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed,
implemented, operated, maintained, and monitored to meet availability commitments and requirements.
Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet
availability commitments and requirements.

February 9, 2016

42

Processing Integrity Controls

No Control
1
2
3
4
5
6

Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and
requirements.
Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing
integrity commitments and requirements.
Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments
and requirements.
Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity
commitments and requirements.
Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity
commitments and requirements.
Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and
requirements.

February 9, 2016

43

Confidentiality Controls
No Control
1
2

3
4

Confidential information is protected during the Solution/Service design, development, testing, implementation, and
change processes in accordance with confidentiality commitments and requirements.
Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and
disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments
and requirements.
Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential
information is restricted to authorised parties in accordance with confidentiality commitments and requirements.
The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service
Provider/Suppliers confidentiality requirements from vendors and other third parties whose products and services
comprise part of the Solution/Service and have access to confidential information.
Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and
services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is
taken, if necessary.
Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and
other third parties whose products and services are included in the Solution/Service .

February 9, 2016

44

Privacy Controls
No Control
1

The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and
procedures.
2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with
respect to the collection, use, and disclosure of personal information.
4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.
5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only
as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.
7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).
9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to
address privacy-related complaints and disputes.

February 9, 2016

45

Putting Service Organisation Controls Into Practice

The controls must be implemented and operated through specific

statements of requirements about their application and use that can
be verified
Example - Organisation and Management Common Control 1:

The Service Provider/Supplier has defined organisational structures, reporting

lines, authorities, and responsibilities for the design, development,
implementation, operation, maintenance and monitoring of the
Solution/Service enabling it to meet its commitments and requirements as
they relate to Security/Availability/Processing Integrity/Confidentiality.

Must Be
Appropriately Solution/Services
Service Provider/Suppliers Structured In
Relation To

Organisational Structures
Reporting Lines
Authorities
Responsibilities
February 9, 2016

Design
Development
Implementation
Operation
Maintenance
Monitoring

In Order To
Comply
With

Requirements
Relating To

Security
Availability
Processing Integrity
Confidentiality
46

Putting Service Organisation Controls Into Practice

Sets of statements of requirements can be detailed or

high-level

Sets of controls need to be created for each control area

A statement of compliance needs to be obtained from the

Service Provider/Supplier

Compliance should be verified through auditing of selected

ones

February 9, 2016

47

Summary

Competence in sourcing is a core skill of the IT function

Vendor assessment and validation during the life of the

sourcing arrangement is crucial

Sourcing should not be a fire and forget activity

The Service Organisation Controls audit approach can be

adapted for use by the IT function to develop an effective
approach to vendor governance

February 9, 2016

48