General Principles on the Use of Third-Party IT Services
Circular 18/2018/TT-NHNN regulates information system security in banking activities and was issued on August 21, 2018. One of the fundamental contents stipulated in this document is the General principles for using third-party IT services.
Article table of contents
To be specific, according to the provisions of Article 31 of Circular 18/2018/TT-NHNN, when utilizing information technology services from a third party, organizations must ensure the following principles:
Firstly, not to diminish the organization's ability to provide continuous service to customers.
Secondly, not to diminish the control over the organization's business processes.
Thirdly, not to change the organization's responsibility in ensuring information security.
Fourthly, third-party information technology services must comply with the organization's information security requirements.
In addition, the Circular specifically stipulates that before using third-party services, organizations must:
- Conduct an information technology risk assessment and operational risk assessment, at a minimum including the following contents:
- Identify risks, analyze, estimate the level of harm, and threats to information security;- Ability to control business processes, ability to provide continuous service to customers, ability to fulfill the obligation of providing information to state agencies;- Clearly define the roles and responsibilities of the parties involved in ensuring service quality;- Develop measures to mitigate risks, preventative measures, incident response, and remediation;- Review and adjust risk management policies (if any).
- In the case of using cloud computing services, in addition to these requirements, organizations must:
- Classify the activities and business processes expected to be deployed on cloud computing based on the impact assessment of these activities and processes on the organization’s operations;- Develop contingency plans for information system components from level 2 and above. The contingency plans must be tested and evaluated for readiness to replace activities and processes deployed on cloud computing;- Develop criteria for selecting third parties that meet the requirements stipulated in Article 33 of Circular 18/2018/TT-NHNN;- Review, supplement, and apply measures to ensure the organization's information security, limit access from cloud computing to the organization's information systems.
In cases where a third party is hired to manage the entire information system from level 2 and above, organizations must conduct a risk assessment in accordance with Clause 1, Article 32 of Circular 18/2018/TT-NHNN and submit a risk assessment report to the State Bank of Vietnam (Information Technology Department).
Refer to related content at: Circular 18/2018/TT-NHNN, effective January 1, 2019.
- Number of deputy directors of departments in Vietnam in accordance with Decree 45/2025/ND-CP
- Cases ineligible for pardon in Vietnam in 2025
- Decree 50/2025 amending Decree 151/2017 on the management of public assets in Vietnam
- Circular 07/2025 amending Circular 02/2022 on the Law on Environmental Protection in Vietnam
- Adjustment to the organizational structure of the Ministry of Health of Vietnam: Certain agencies are no longer listed in the organizational structure
- Vietnam aims to welcome 22-23 million international tourists in Vietnam in 2025
-
- Notable new policies of Vietnam effective as of ...
- 16:26, 11/04/2025
-
.Medium.png)
- Notable documents of Vietnam in the previous week ...
- 16:21, 11/04/2025
-
.Medium.png)
- Notable documents of Vietnam in the previous week ...
- 16:11, 02/04/2025
-
.Medium.png)
- Notable new policies of Vietnam to be effective ...
- 16:04, 02/04/2025
-
.Medium.png)
- Notable new policies of Vietnam effective from ...
- 14:51, 21/03/2025
