This Tactical Tier control triangle seeks to manage the outsourcing of specific solution components or entire projects to external providers, ensuring effective collaboration, service delivery, and adherence to the organisation's quality, security, and business requirements.

This control rolls down from the Deliver Solution Domain and cascades into: 2.2.3.1-Onshore Solution, 2.2.3.2-Offshore Solution, and 2.2.3.3-Cloud Solution controls.

---

Control Mappings:
Cobit:2019 ➡️ APO07; APO07.06; APO09; APO09.03; APO09.05; APO10; APO10.01; APO10.03; DSS01; DSS01.02
ISO27001:2022 ➡️ 8; 8.1
ISO38500:2024 ➡️ 5.7.1
ITIL:v4 ➡️ GM6; GM11; GM13
NIST:CSFv2 ➡️ GV; GV.OC-02; GV.OC-05; GV.RM-05; GV.SC; GV.SC-01; GV.SC-02; GV.SC-03; GV.SC-04; GV.SC-05; GV.SC-07; GV.SC-08; GV.SC-09; GV.SC-10; ID.AM-02; ID.AM-04; ID.RA-10; ID.IM-02; DE.CM-06
MaRisk:2024 ➡️ AT 4.2(2); AT 4.3.1; AT 4.3.2(2); AT 5(3e); AT 7.3(1); AT 9(1) ; AT 9(2); AT 9(6); AT 9(7); BT 2.1(3); BT 2.3(1)
CIS:v8 ➡️ Audit Log Management; Collect Service Provider Logs; Service Provider Management; Establish and Maintain an Inventory of Service Providers; Classify Service Providers; Assess Service Providers; Monitor Service Providers