ESA-5 - Subcontractor Risk Management

Control requirements

ESA-5 - 0: The organization must have oversight and controls on activities they outsource to subcontractors that contribute to the delivery of products or services contracted with the customer. The oversight and controls of these subcontractors must be commensurate with the level of risk associated with the products and services that the organization provides to the customer. If the organization is dependent on a subcontractor to meet Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) contracted with the customer, the organization must be able to demonstrate that it monitors and oversees subcontractor recovery capabilities to ensure they can also recover within those RTO/RPO timeframes. Organization monitoring and oversight of subcontractors must include annual: - Review of subcontractor business continuity plans to ensure recovery strategies of product and services support the contracted RTO/RPO timeframes with the customer - Testing of subcontractor business continuity plans to ensure recovery occurs within the contracted RTO/RPO timeframes with the customer - Review of subcontractor testing results and validation that any findings generated are remediated and monitored to closure, with critical findings being addressed within 45 days of issue identification - Review of subcontractor response framework to ensure adequate capabilities are in place for rapid assembly and response in the event of a disruption

See the resources that follow to learn more about how to implement this control.

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Check whether provisioned services are IAM enabled
Check whether the Financial Services Validated setting is enabled in account settings