Incorporating information security standards into agreements with vendors

To ensure customers and vendors are clear on what is required to protect a customer’s data, customers can rely on information security standards as contractual safeguards.

Still, there are several different standards to pick from, and customers should consider the advantages and disadvantages of each standard when negotiating agreements with vendors.

Businesses and other organizations are increasingly outsourcing information technology (IT) services to third-party vendors. These outsourcing arrangements often involve disclosing personal information and other sensitive confidential information to third-party vendors for processing to support business activities. It is important for organizations to recognize, however, that they typically remain legally responsible for their information, even when it is in the hands of vendors. For example, the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”) provides that organizations must implement procedures and take appropriate measures to protect personal information, and must use contractual or other means to ensure a comparable level of protection is provided for personal information that is disclosed to third parties.

One way to efficiently implement these necessary contractual protections is to leverage existing information security standards when defining vendor information security obligations in contracts. For example, a contract can be drafted to obligate a vendor to (1) comply with a particular security standard, and (2) furnish periodic assurance of compliance (for example, through a certification or audit report). In this blog, we will outline three popular information security standards that are frequently used for this purpose: ISO 27001, SOC 2 and NIST CSF.

ISO 27001

ISO 27001 is a comprehensive and globally recognized information security standard used to help establish, maintain and improve information security management systems. It is generally most appropriate for vendors with well-established information security management systems. Achieving and maintaining ISO 27001 certification requires a significant commitment of time and resources by the vendor.

A key benefit of the ISO 27001 standard is its certification framework. Vendors that implement ISO 27001 typically engage accredited third-party auditors to check the vendor’s compliance with the standard. If the auditor is satisfied the vendor is meeting the standard, the vendor receives an ISO 27001 compliance certificate that the vendor can then provide to its customers to demonstrate it is maintaining the security measures prescribed by the ISO 27001 standard. Certification lasts for three years, although the auditor will perform periodic checks during this period to test for continued compliance. After the three-year certification period has elapsed, vendors need to order a new audit in order to recertify.


SOC 2 is an information security audit and reporting framework developed by the American Institute of Certified Public Accountants (“AICPA”). SOC 2 audits are conducted in accordance with the Statement for Attestation Engagements 18 (“SSAE 18”) standard, also developed by AICPA. SOC and SSAE 18 are often referred to interchangeably. While SOC 2 is most commonly used in the United States, it is recognized in other jurisdictions as well (particularly in North America).

A SOC 2 audit is specifically designed for organizations providing data processing and cloud storage services. A notable feature of SOC 2 is its flexibility. Organizations may be assessed against up to five criteria: (i) security; (ii) availability; (iii) processing integrity; (iv) confidentiality; and (v) privacy. However, the only mandatory criterion is security, and organizations may select which of the other four criteria should be in the audit’s scope based on their applicability to the organization’s business.

In contrast to ISO 27001, SOC 2 does not leverage a certification framework. SOC 2 compliance is still determined by way of audits, but SOC 2 audit findings are only valid for one year. The vendor is therefore required to demonstrate full compliance with the SOC 2 standard once each year in order to demonstrate ongoing compliance with the standard.

Vendors also have the option of leveraging a “Type I” audit or a “Type II” audit to demonstrate compliance with the SOC 2 standard. A “Type I” audit generally takes a few weeks and the resulting report is best understood as a snapshot of the vendor’s security controls measured against the SOC 2 standard. A “Type II” audit can take up to a full year and the resulting report is intended to address the operating effectiveness of the vendors’ security controls over time. Both audits are performed by third-party accounting firms possessing the relevant qualifications.


The National Institute of Technology (“NIST”) Cybersecurity Framework (“CSF”) is a publicly available framework that many organizations have used to enhance their cybersecurity position. Similar to SOC 2, NIST CSF is most commonly used in the United States, but is recognized in other international jurisdictions as well.

Compared to ISO 27001 and SOC 2, NIST CSF provides the most flexibility in the sense that there is no formal certification or audit process to verify NIST CSF compliance. NIST CSF is an entirely voluntary framework consisting of standards, guidelines, and best practices that organizations can adapt to meet their particular needs. However, the cost of this flexibility is that a bare statement in a contract to the effect that a data processor complies with NIST CSF is inherently ambiguous, making it potentially difficult to interpret or enforce.

The lack of a formal certification or audit procedure is an important point of distinction because although organizations can obligate vendors to comply with aspects of NIST CSF, such as its defined core functions and implementation tiers, proactive verification of compliance with the standard is more difficult for NIST CSF than it is with ISO 27001 and SOC 2. Consequently, one way to think of NIST CSF is as a useful tool for data processors to enhance their cybersecurity positions, as opposed to a useful tool for data processors’ customers to test or validate those cybersecurity positions.

For more information on NIST CSF, including recent developments, please see our previous blog post.

Takeaways for organizations

Incorporating information security standards such as ISO 27001, SOC 2 or NIST CSF into your contracts with vendors can help manage your risk when outsourcing IT services. Nonetheless, it is important to understand the standards and the level of assurance they can provide. This understanding can help your organization differentiate between the security postures of potential vendors and help you make the best choice for your organization.

The lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity group have extensive experience advising on and assisting with reviewing and drafting contracts to mitigate risks from a privacy and cybersecurity perspective. Our group can also help you choose the right information security standard to include in your IT contracts with vendors. Contact us to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.