Control A10 of ISO 27001 mandates for outsourcing organization to monitor and review the performance of third party service provider on regular basis which includes the contractor working on critical assets within the scope. Service level Agreement (SLA) or Operation level Agreement (OLA) are the binding legal agreement which includes all the important services to fullfil the information security and compliance requirements of an organization.
Contract with service provider should require the need of standard reports on regular basis which should be reviewed at least monthly and attended by staff and management responsible for services. In these meetings, management should ensure that contractual requirements have been met by the service provider
Key management responsibilities should include but not limited to the followings:
- Outsourcing organization should decide which key metrics will be created to monitor the performance of service provider which will ensure that contractual clauses are met consistanly.
- For information security related services, reviewing all incidents for sepcified period (at least once a month) to make sure thay have been included in an organization treatment plan for appropriate corrective actions based on an organization risk priorty.