Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-1-1 – Cybersecurity requirements for contracts and agreements with third-parties must be identified, documented and approved.
This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and requires a documented, approved approach to ensuring third parties meet your security expectations.
Understanding the Requirement
The control requires your organization to develop and maintain a Third-Party Cybersecurity policy that identifies the cybersecurity requirements to include in contracts and agreements, documents third-party risk assessment procedures, specifies how data and information must be protected, and defines responsibilities for incident management. The policy must be formally approved by executive management (the organization head or their deputy) so contract commitments and enforcement steps are authorized at the right level.
Technical Implementation
-
Create a Third-Party Cybersecurity policy document. Include minimum contractual clauses such as: security control baselines, data classification and handling rules, encryption and key management requirements, access control and least privilege, breach notification timelines (e.g., notify within 72 hours), and right-to-audit and remediation obligations.
-
Inventory and categorize third parties. Maintain a vendor register with data types processed, vendor criticality (high/medium/low), and the contractual status. Use this inventory to drive which contracts need enhanced security clauses and which vendors require full security assessments.
-
Implement a third-party risk assessment workflow. Use a standard questionnaire and risk-rating matrix to assess onboarding and periodic review. For high-risk vendors require security evidence (SOC reports, penetration test results, ISO certification) and map their controls to your policy requirements.
-
Embed contractual language and templates into procurement. Provide legal and procurement with approved clause templates (incident response, data breach notification, data return/destruction, subcontractor controls, SLAs, indemnity) so each contract contains consistent cybersecurity protections.
-
Assign approval and escalation paths. Require executive sign-off for contracts that process sensitive data or exceed a defined risk threshold. Document who can approve what (procurement, legal, CISOs) and track approvals in your contract management system.
-
Monitor and enforce post-signature. Define technical checks (periodic vulnerability scans, security posture monitoring, SLA metric reviews) and a remediation timeline. Include termination triggers for repeated noncompliance and schedule annual contract reviews and re-assessments.
Example in a Small or Medium Business
A small SaaS company that stores customer data decides to formalize its third-party security approach. They draft a Third-Party Cybersecurity policy that lists required contract clauses (encryption at rest and in transit, 72-hour breach notification, and right-to-audit) and a simple vendor risk matrix. The company inventories all vendors and flags its payment processor and cloud-hosting provider as high risk. For these vendors they require recent penetration test results and a signed addendum with specific SLAs and incident notification timelines. Procurement uses the approved templates so each new contract automatically includes the required security language, and the CTO or their deputy must sign off on high-risk agreements. After onboarding, the security team runs quarterly checks of vendor attestations and logs performance against SLA metrics; vendors who fail to meet remediation deadlines are placed on a corrective action plan or replaced. Executive approval is recorded in the contract system to demonstrate policy support and governance for audits or customer inquiries.
Summary
By documenting a Third-Party Cybersecurity policy, embedding required security clauses into contract templates, using a vendor inventory and risk assessment process, and requiring executive approval for higher-risk agreements, SMBs can ensure third-party cybersecurity requirements are consistently identified, documented and approved. Combining clear policy, procurement controls, and ongoing technical monitoring provides practical, enforceable protections for your data and reduces supply-chain risk.
