# Service Level Agreements and Contracts Backlink: [[Domain 1 - Index]] **Definition:** Legal instruments defining services, responsibilities, performance targets, and remedies. ## Key Facts - SLAs: uptime/RTO/RPO, support times, penalties/credits. - DPAs: controller/processor duties, subprocessing, deletion, cross-border. - NDAs: confidentiality and use limitations for sensitive info. - Right-to-audit and reporting cadence requirements. - Security addendum: controls, certifications, incident notification timeline. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Select clauses addressing a given risk - Interpret SLA metrics and remedies >[!note] **Mnemonic** - “Specify, Measure, Enforce.” ### Example Q: Need assurance of timely breach notice. Clause? A: Incident notification within X hours. ## Revision Checklist - [ ] Name 4 core SLA elements - [ ] Distinguish NDA vs. DPA - [ ] Include right-to-audit purpose - [ ] Plan termination data handling ## Related [[Third-Party and Supplier Risk Management]] · [[Recovery Objectives (RTO, RPO, WRT, MTD)]] · [[Privacy Principles and Regulations]] · [[Compliance Frameworks and Audits (SOX, PCI DSS, SOC Reports)]] · [[Risk Response Strategies]] #cisSP #domain-1 #concept