/
Information Security Policy for Supplier Relationships

Information Security Policy for Supplier Relationships

Owned by Jan Tenenberg
Last updated: 31 May 2022
5 min read

Introduction

Vertic Ltd Pty and its core business exists in a wider economic environment in which effective relationships with suppliers are critical to its continued success. It is very important therefore that our relationships with suppliers are based on a clear understanding of our expectations and requirements in the area of information security. These requirements must be documented and agreed in a way that leaves no doubt about the importance we place on the maintenance of effective controls to reduce risk. The purpose of this document is to set out the organisation’s information security policy in the area of supplier relationships.

Information security policy for supplier relationships

General provisions

In general, information security requirements will vary according to the type of contractual relationship that exists with each supplier and the goods or services delivered.

However, the following (or some of the below) will generally apply.

  • The information security requirements and controls may be formally documented in a contractual agreement which may be part of, or an addendum to, the main commercial contract

  • Separate Non-Disclosure Agreements must be used where a more specific level of control over confidentiality is required

  • Appropriate due diligence must be exercised in the selection and approval of new suppliers before contracts are agreed

  • The information security provisions in place at existing suppliers (where due diligence was not undertaken as part of initial selection) must be clearly understood and improved where necessary

  • Remote access by suppliers must be via approved methods that comply with our information security policies

  • Access to Vertic Ltd Pty information must be limited where possible according to clear business need

  • Basic information security principles such as least privilege, segregation of duties and defence in depth must be applied

  • The supplier will be expected to exercise adequate control over the information security policies and procedures used within sub-contractors who play a part in the supply chain of delivery of goods or services to [Organization Name]

  • Vertic Ltd Pty will have the right to audit the information security practices of the supplier and, where appropriate, sub-contractors

  • Incident management and contingency arrangements must be put in place based on the results of a risk assessment

  • Awareness training will be carried out by both parties to the agreement, based on the defined processes and procedures

  • A Supplier Information Security Checklist may be required for completion by external suppliers

The selection of required controls must be based upon a comprehensive risk assessment considering information security requirements, the product or service to be supplied, its criticality to the organization and the capabilities of the supplier.

Cloud services

Cloud service providers (CSPs) must be clearly recognised as such so that the risks associated with the CSP’s access to and management of Vertic Ltd Pty cloud data may be managed appropriately.

When acting as a CSP, Vertic Ltd Pty will clearly set out the relevant information security measures it will implement as part of the agreement. Vertic Ltd Pty will also ensure that information security objectives are set for third parties who provide components of the cloud service to customers and that they carry out adequate risk assessment in order to achieve an acceptable level of security.

Due diligence

Before contracting with a supplier, it is incumbent upon Vertic Ltd Pty to exercise due diligence in reaching as full an understanding as possible of the information security approach and controls the company has in place. It is important that the documented Supplier Due Diligence Assessment Procedure is followed so that all the required information is collected, and an informed assessment can be made.

This is particularly important where cloud computing services are involved, as legal considerations regarding the location and storage of personal data must be considered.

Addressing security within supplier agreements

Once a potential supplier has been positively assessed with due diligence the information security requirements of Vertic Ltd Pty must be reflected within the written contractual agreement entered into. This agreement must consider the classification of any information that is to be processed by the supplier (including any required mapping between Vertic Ltd Pty classifications and those in use within the supplier), legal and regulatory requirements and any additional information security controls that are required.

For cloud service contracts, information security roles and responsibilities must be clearly defined in areas such as backups, incident management, vulnerability assessment and cryptographic controls.

A template Vertic Ltd Pty Supplier Information Security Agreement may be used as a starting point.

Appropriate legal advice must be obtained to ensure that contractual documentation is valid within the country or countries in which it is to be applied.

Evaluation of existing suppliers

For those suppliers that were not subject to an information security due diligence assessment prior to an agreement being made, an evaluation process must be undertaken in order to identify any required improvements. For details of this process see Supplier Information Security Evaluation Process.

Monitoring and review of supplier services

In order to focus resources on the areas of greatest need, suppliers will be categorised based on an assessment of their value to the organization.

Each supplier will be placed into one of the following four categories:

  1. Commodity

  2. Operational

  3. Tactical

  4. Strategic

The recommended frequency of supplier review meetings between Vertic Ltd Pty and each supplier will be determined by the supplier’s category according to the following table.

SUPPLIER CATEGORY

RECOMMENDED MEETING FREQUENCY

Commodity

None

Operational

On contract renewal

Tactical

Annually

Strategic

Monthly/Quarterly

Table 1: Meeting frequencies by supplier category

 

Each supplier will have a designated contract manager within Vertic Ltd Pty who is responsible for arranging, chairing and documenting the meetings.

The performance of strategic suppliers will be monitored on a regular basis in line with the recommended meeting frequency. This will take the form of a combination of supplier-provided reports against the contract and internally produced reports.

Where possible, a frequent cross-check will be made between the supplier reports and those created internally in order to make sure the two present a consistent picture of supplier performance. Both sets of reports will be reviewed at supplier meetings and any required actions agreed.

Managing changes to supplier services

Changes within contract

Changes to services provided by suppliers will be subject to the Vertic Ltd Pty change management process. This process includes the requirement to assess any information security implications of changes so that the effectiveness of controls is maintained.

Contractual Disputes

In the event of a contractual dispute, the following initial guidelines must be followed:

  • The Chief Financial Officer must be informed that a dispute exists

  • The CFO will then decide on next steps, based on an assessment of the dispute

  • Where applicable, legal advice should be obtained via the CFO

  • All correspondence with the supplier in dispute must be in writing and with the approval of the CFO

  • An assessment of the risk to the organization should be carried out prior to escalating any dispute, and contingency plans put in place

  • At all times the degree of risk to the business must be managed and if possible minimised.

End of contract

The following process will be followed for scheduled end of contract, early end of contract or transfer of contract to another party:

  • The end of contract will be requested in writing within the agreed terms

  • Transfer to another party shall be planned as a project and appropriate change control procedures followed

  • An assessment of the risk to the organization should be carried out prior to ending or transferring the contract, and contingency plans put in place

  • Any budgetary implications shall be incorporated into the financial model

The various aspects of ending a contract must be carefully considered at initial contract negotiation time.

 

Related content

Supplier Due Diligence Assessment (Template)
Supplier Due Diligence Assessment (Template)
Vertic Quality Management System (VQMS)
Read with this
Information Security Policy
Information Security Policy
Vertic Quality Management System (VQMS)
More like this
Management Review Process
Management Review Process
Vertic Quality Management System (VQMS)
Read with this
Executive Support Letter
Executive Support Letter
Vertic Quality Management System (VQMS)
More like this
Information Continuity Plan and Process
Information Continuity Plan and Process
Vertic Quality Management System (VQMS)
Read with this
Access Control Policy
Access Control Policy
Vertic Quality Management System (VQMS)
More like this