It also requires the policy to include measures to identify, prevent and manage potential conflicts of interest.

As part of the assessment process the policy must prescribe the evaluation of the following criteria in connection with the third-party provider:

1. Business reputation.
2. Sufficient abilities.
3. Expertise.
4. Adequate financial resources.
5. Adequate human resources.
6. Adequate technical resources.
7. Information security standards.
8. Appropriate organisational structure including;
   1. Risk management.
   2. Internal controls.
9. Required authorisation or registration (if applicable) to provide the services in a reliable and professional manner.
10. Ability to monitor relevant technological developments.
11. Ability to identify ICT security leading practices.
12. Ability to implement ICT security leading practices where appropriate to have an effective and sound digital operational resilience framework.

In addition the policy must require the consideration of the following criteria:

1. Potential sub-contracting.
2. Location.
3. Location of processing and storage of data.
4. Consent to audit, including onsite, by:
   1. The contracting entity.
   2. Appointed third-parties.
   3. Regulators.
5. Acting in an ethical and socially responsible manner including adherence to:
   1. Human and children’s rights.
   2. Principles of environmental protection.
   3. Appropriate working conditions including the prohibition of child labour.