ISMS Compliance
CyFun BasicIdentify

ID.AM-4: External information systems

External information systems are catalogued

IDENTIFYID.AM-4

Requirement

No requirements are identified for the assurance level 'Basic', but guidelines are provided to increase information security.

Our Implementation

External information systems are comprehensively catalogued in the organisation's evidence pages. The inventory covers 11 cloud providers and 33 software tools across six categories: own products, core business SaaS, AI/LLM providers, sales and marketing, operations, and development tools.

Security requirements are evaluated during vendor selection, with EU data residency mandated for critical providers (Supabase on AWS eu-central-1). Each service is classified by criticality level (Critical, High, Medium, Low) and monitored for availability and security notifications.

Gaps / Planned improvements:

  • Formal bilateral Data Processing Agreements (DPAs) not yet in place for all providers (NEX-348)
  • Not all SaaS tools have undergone formal security assessment — particularly sales and marketing tools (NEX-349)
  • No standardised vendor security questionnaire used during procurement (NEX-373)

Evidence

ImplementedL2 — Repeatable

ID.AM-3: Communication and data flows

Organisational communication and data flows are mapped

ID.AM-5: Resource prioritisation

Resources are prioritised based on their classification, criticality, and business value

On this page

RequirementOur ImplementationEvidence