Vendors and service providers play an important role in the service delivery chain and therefore need to be managed appropriately. In the context of this standard, a vendor is any legal third-party entity delivering services to the organization. A service provider could be a vendor as well as an internal department delivering services to another department.
Each of the service providers’ obligations should be documented and managed using a Service Level Agreements (SLAs) and supporting service level management processes. The SLAs should have sufficient and unambiguous descriptions of the service requirements including sample calculations related to performance, penalties and other variables based on calculations.
Vendors should be carefully selected and categorized - details are described in section 20.7