Do contracts include standard security clauses (right to audit, breach notification, data return/destruction, sub-processor controls)?
Demonstrate that executed third-party contracts contain enforceable security clauses covering audit rights, breach notification requirements, data lifecycle management, and sub-processor governance.
Description
What this control does
This control ensures that all third-party vendor and service provider contracts include mandatory security clauses protecting organizational data and rights. Standard clauses must cover the right to audit security controls, mandatory breach notification timelines, procedures for secure data return or certified destruction upon contract termination, and requirements for managing sub-processors with equivalent security standards. These contractual obligations create enforceable legal mechanisms to maintain security accountability across the supply chain and establish clear responsibilities when vendors handle, process, or store sensitive organizational data.
Control objective
What auditing this proves
Demonstrate that executed third-party contracts contain enforceable security clauses covering audit rights, breach notification requirements, data lifecycle management, and sub-processor governance.
Associated risks
Risks this control addresses
- Vendors suffer data breaches but delay or fail to notify the organization, preventing timely incident response and regulatory reporting
- Organization lacks contractual authority to audit vendor security controls, creating blind spots in third-party risk management
- Vendors retain or improperly dispose of sensitive data after contract termination, leading to unauthorized data exposure or regulatory violations
- Sub-processors with inadequate security controls gain access to organizational data without visibility or approval, expanding the attack surface
- Vendors refuse to participate in security assessments or provide evidence of compliance, preventing effective risk evaluation
- Data deletion cannot be verified after vendor relationship ends, creating long-term liability for data subject rights and privacy obligations
- Contractual ambiguity regarding security responsibilities enables vendors to deny accountability for security failures or data incidents
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of active third-party contracts involving data processing, storage, or transmission from legal, procurement, and IT departments
- Select a representative sample of contracts stratified by vendor risk tier, data classification handled, and contract value (minimum 15-20 contracts or 20% of population)
- Review each sampled contract to identify and extract security-related clauses, noting the presence or absence of audit rights, breach notification, data return/destruction, and sub-processor provisions
- Verify that audit rights clauses specify frequency (e.g., annual), scope, advance notice requirements, and remediation timelines for identified deficiencies
- Confirm breach notification clauses define specific timeframes (e.g., within 24-72 hours of discovery), required notification content, and escalation procedures
- Examine data return and destruction clauses to ensure they specify methods (e.g., certified deletion, physical destruction), verification procedures, and timelines upon contract termination
- Assess sub-processor clauses for requirements including prior written approval, flow-down of security obligations, and notification of sub-processor changes
- Interview procurement and legal staff to validate that contract templates include these standard clauses and that deviations require formal exception approval with compensating controls