← Controls / PS

PS-07 Third-Party Personnel Security

Personnel Security

Low Moderate High

Description

The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance.

Supplemental Guidance

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. NIST Special Publication 800-35 provides guidance on information technology security services.

Enhancements

(0) None.

Compliance Mappings

ISO 27002:2022

5.46.2

NIST CSF 2.0

GV.RR-04

SOC 2 TSC

CC5.3

PCI DSS v4.0.1

12.7

ISO 42001:2023

A.10.2

NIS2 Directive

Art. 21(2)(i)

PRA Operational Resilience

SS2/21-5.1SS2/21-6.1

BSI IT-Grundschutz

ORP.2

ANSSI

Hygiene.7SecNumCloud.16.1SecNumCloud.8.1

FINMA Circular 2023/1

IV.F(100)V(101)V(102)

OSFI B-13

B-13.1.1B-13.4.1

EU GDPR

Art.28(1)Art.28(3)(b)Art.32(4)

EU DORA

Art.28(5)Art.30(2)(a)

BIO2

5.46.2

RBI CSF

Annex1.11ITGRCA.10

FISC Security Guidelines

FISC.O6FISC.O8

LGPD + BCB 4893

LGPD.Art.47

HKMA TM-E-1

TME1.12.2

MLPS 2.0

8.1.8.3

DNB Good Practice

DNB.16.3DNB.5.1DNB.8.4

SAMA CSF

1.51.74.14.2

NCA ECC

1-94-1

UAE IA

T5

CBB TM

TM-15

Qatar NIA

HR

CBE CSF

GOV-2

SA JS2

JS2-8.6JS2-8.7

CBN CSF

Part1.2Part2.4Part9

BoG CISD

CISD-XVCISD-XVI

POPIA

s20

BoM CTRM

1.23.83.9

IOSCO Cyber Resilience

GOV-4GOV-5

BCBS 239

Principle 1

FFIEC IS

I.BII.C.20II.C.7II.C.7(a)II.C.7(d)

NYDFS 500

500.10500.11

HIPAA Security Rule

§164.308(a)(3)(i)§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)

ECB CROE

CROE.2.3.2

EBA ICT Guidelines

3.2.3

SEBI CSCRF

GV.RRGV.SC

BOT Cyber Resilience

Ch7.2

CMMC 2.0

PS

NERC CIP

CIP-004-7

10 CFR 73.54

RG5.71-C-PS

DOE C2M2 v2.1

WORKFORCE

API 1164

Sec 13

IAEA NSS 17-T

Sec 9

PCI PTS v6

H

CBEST

CBEST.8

PCI HSM

6

Solvency II

Art.49(1)DR.272

Lloyd's Minimum Standards

MS13.1MS8.8

NAIC Insurance Data Security

4-personnel4D

PRA SS1/23

P2.2P2.4

FCA SYSC 13

SYSC 13.6.3SYSC 13.6.4SYSC 13.9.2

HITRUST CSF v11

02.b05.a05.b

ISO 27799

7.2

NHS DSPT

NDG-4.2

Basel SCO60

SCO60.55SCO60.62

BSSC Standards

GSP-04

SEC Custody (Digital Assets)

SEC-CD-16

ISO 17799 (legacy)

6.2.16.2.38.1.18.1.28.1.38.2.18.2.211.2.1

COBIT 4.1 (legacy)

PO4.14DS2.2