To mitigate the risks identified, the policy should specify the planning of contractual arrangements, including the risk assessment, the due diligence, and the approval process for new or material changes to those contractual arrangements. In order to manage the risks that may arise before entering into a contractual arrangement with an ICT third-party service providermeans an undertaking providing ICT services;, the policy should specify an appropriate and proportionate process to select and assess the suitability of prospective ICT third-party service providersmeans an undertaking providing ICT services; and require that the financial entity takes into account a non-exhaustive list of elements that the ICT third-party service providersmeans an undertaking providing ICT services; should have in place. The list should include elements related to the business reputation of the service providers, their financial, human and technical resources, their information-security, their organisational structure, including risk management, and their internal controls.