Customer Support Outsourcing Agreement
The contract defines each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:
- Legal, regulatory and other third-party obligations such as data protection/privacy laws, money laundering etc.
- Information security obligations and controls such as:
- Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001 and Data protection Regulation 2016/679;
- Background checks on dedicated employees or third parties working on the contract;
- Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilities etc.;
- Information security incident management procedures including mandatory incident reporting;
- Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;
- Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;
- Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow;
- Anti-malware, anti-spam and similar controls;
- IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;
- The right of the Company to monitor all access to and use of the Company’s facilities, networks, systems etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;
- Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery.
Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for the Company to verify security controls that are essential to address the Company’s specific security requirements, typically by auditing them.