# Third-Party Operational Risk and Managed Services One-sentence definition: Manage outsourced operations with clear SLAs, controls, and oversight. ## Key Facts - Define services, SLAs, metrics, evidence, and right-to-audit. - Shared runbooks and comms; incident integration and escalation paths. - Validate staffing, coverage, and handoffs; measure outcomes. - Termination/transition plans and data return/destruction clauses. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose contracts with measurable security outcomes. **Mnemonic:** “**Outsource, not out-of-control**.” ## Mini Scenario Q: MSSP misses P1 SLA—response? A: Review contract, issue CAP, consider service credits or changes. ## Revision Checklist - SLA components. - Integration needs. - Exit plan. ## Related [[Third-Party Assessment and Vendor Risk Testing]] · [[Security Operations Center (SOC) Fundamentals]] · [[Business Continuity Operations and Crisis Communications]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Incident Classification Severity and SLAs]] · [[Domain 7 - Index]]