+Subcontracting Risk Management

1. Overview

Subcontracting Risk Management

With regards to subcontracts that support a critical or important function:Establish a risk management process to oversee subcontracting activities effectively. Monitor the entire ICT subcontracting chain, documenting conditions and ensuring compliance with contractual obligations and the obligation to maintain and update the register of information. Review contractual documentation to verify adherence to established conditions throughout the subcontracting chain. Require advance notice of significant changes to subcontracting arrangements, enabling thorough risk assessment and mitigation. Ensure that the right to approve changes or request modifications to material subcontracting activities is added to the contracts with the third-party ICT service providers that provide critical or important functions. Implement proactive measures to address identified risks and enhance subcontracting oversight.

Summary	Standard

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

NOREA -
NOREA, de beroepsorganisatie van IT-auditors - DORA in Control Framework