Document ID: ISMS-POL-006 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Purpose and Scope
This policy defines the requirements for managing information security risks associated with third-party suppliers, vendors, and service providers who have access to the organisation’s information, systems, or facilities, in accordance with ISO/IEC 27001:2022 Annex A controls 5.19–5.22.
It applies to all suppliers engaged by [Organisation Name], from contract initiation through ongoing relationship management to offboarding. The ISM is responsible for maintaining the Supplier Register and ensuring this policy is followed during all supplier engagements.
1. Supplier Risk Classification
Not all suppliers present equal risk. The organisation classifies suppliers into tiers to apply proportionate due diligence and ongoing monitoring.
| Tier | Description | Examples | Due Diligence Level |
|---|---|---|---|
| Tier 1 — Critical | Supplier has access to client data, internal Confidential or Restricted information, or systems that are critical to service delivery; a breach or failure would directly affect clients or the organisation’s core operations | SIEM platform vendor (client log data), AWS/Azure (production environment), Microsoft (M365 — email and documents), HR/payroll SaaS (employee PII), penetration test tooling vendors with cloud components | Full security assessment; contractual security obligations including DPA; annual security review; right to audit or receive third-party audit report; reference to ISO 27001 or SOC 2 required |
| Tier 2 — Important | Supplier accesses internal-only data or provides services that, if disrupted, would affect operations but not client services directly | Marketing automation platform, accounting software, recruitment platform, project management SaaS (no client data), training platform | Security questionnaire completed and reviewed; data processing terms in contract; incident notification clause; biennial review |
| Tier 3 — Standard | Supplier provides commodity services with no access to organisational data and no impact on information systems | Office supplies, couriers, cleaning services, catering | Standard commercial terms apply; no specific security assessment required; include basic security expectations in site access rules |
2. Pre-Engagement Due Diligence
Tier 1 Suppliers — Pre-Engagement Checklist
The following must be completed and documented before a Tier 1 supplier is engaged or before an existing supplier is elevated to Tier 1:
- ISO 27001:2022 certificate (or SOC 2 Type II report) obtained, reviewed, and confirmed as current and in-scope for the services to be provided
- Data Processing Agreement (DPA) reviewed by legal counsel and signed by both parties before any data is transferred
- Security questionnaire completed by the supplier and reviewed by the ISM; all critical findings resolved before go-live
- Subprocessor list reviewed and documented; confirm no subprocessors are in sanctioned jurisdictions or high-risk countries
- Penetration testing evidence reviewed (within the last 12 months); findings summary and remediation status confirmed
- Incident notification clause confirmed: supplier must notify the organisation within 72 hours of becoming aware of a security incident affecting our data
- Data residency confirmed and documented: where is data stored and processed? Is this consistent with regulatory obligations?
- Exit / data deletion procedure confirmed: how will data be returned or destroyed at contract end? Timeline specified in contract (maximum 30 days)
- Cyber liability insurance confirmed: supplier holds cyber liability insurance with adequate coverage; certificate of currency obtained
- Business continuity capability confirmed: supplier has a BCP/DR plan; relevant RTO/RPO commitments are in the SLA
Tier 2 Suppliers — Pre-Engagement Checklist
- Security questionnaire completed and reviewed; no critical unmitigated risks
- Data processing terms agreed and included in contract or as a separate addendum
- Incident notification clause included: minimum 72-hour notification obligation
- Data deletion on contract end confirmed in contract terms
3. Contract Security Requirements
The following clauses are mandatory in contracts with all Tier 1 suppliers. The ISM and legal counsel review all Tier 1 contracts before signing.
| Clause | Requirement | Notes |
|---|---|---|
| 1 — Data Processing Obligations | Data processing must comply with applicable privacy law (GDPR, Privacy Act) including purpose limitation, data minimisation, and subject rights | Specify the legal basis for processing; agree on data subject request handling procedure |
| 2 — Security Incident Notification | Supplier must notify the organisation within 72 hours of becoming aware of any security incident that may affect the organisation’s data | Specify the contact details and notification method; require updates every 24 hours during active incidents |
| 3 — Right to Audit | Organisation has the right to conduct (or commission) a security audit of the supplier annually, or to receive a copy of the supplier’s most recent third-party audit report (e.g., ISO 27001 surveillance audit report, SOC 2 Type II report) | Supplier to provide audit report within 10 business days of request |
| 4 — Subprocessing Restriction | Supplier may not subcontract any processing of the organisation’s data without prior written consent; supplier must impose equivalent security obligations on any approved subprocessors | Supplier must maintain and provide an up-to-date subprocessor list |
| 5 — Data Deletion / Return | All data belonging to the organisation or its clients must be returned or securely deleted within 30 days of contract termination; supplier must provide written confirmation of deletion | Specify acceptable deletion methods; require certificate of destruction for physical media |
| 6 — Minimum Security Controls | Supplier must maintain: encryption of data at rest (AES-256) and in transit (TLS 1.2+); MFA for all accounts with access to the organisation’s data; vulnerability management and patching programme; access controls with least privilege | Supplier to provide annual attestation of compliance |
| 7 — Personnel Security | Supplier must conduct background screening on personnel with access to the organisation’s data; staff must be subject to confidentiality obligations | Reference supplier’s employment screening policy |
| 8 — Regulatory Compliance | Supplier must comply with all applicable regulations in the jurisdictions where data is processed; notify the organisation of any regulatory action that may affect the organisation’s data | Includes PCI DSS, HIPAA, or other sector-specific requirements as applicable |
| 9 — Liability | Limitation of liability clause appropriate to the risk exposure; ensure cyber incidents are not excluded from the liability cap | Minimum liability equal to 12 months of contract value; or aligned with cyber insurance coverage |
4. Ongoing Monitoring
Once a supplier is engaged, the organisation does not assume the risk relationship is static. Monitoring activities are scaled to the supplier tier.
| Activity | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Annual security questionnaire review | Required | Required | Not required |
| Certificate of currency (ISO 27001 / SOC 2) | Required annually | Not required | Not required |
| Review of incident reports / security advisories | Required; review after any vendor-disclosed incident | Required; review after major incidents | Not required |
| Quarterly performance and security review meeting | Required | Annual meeting | Not required |
| Right to audit exercised | Every 2 years minimum (or via third-party report annually) | Not required | Not required |
| Financial stability check (credit check / public filings) | Annual | Annual | Not required |
| Subprocessor list review | Annual | Not required | Not required |
| Contract renewal security review | Required — ISM sign-off before renewal | ISM review recommended | Standard procurement process |
5. Supplier Register
All suppliers must be recorded in the Supplier Register maintained by the ISM. The register is reviewed quarterly and updated on any change.
| Supplier Name | Tier | Services Provided | Data Processed | Contract Expiry | Last Security Review | Certification | Risk Rating | Open Actions |
|---|---|---|---|---|---|---|---|---|
| [SIEM Vendor Name] | 1 | SOC platform hosting; log aggregation | Client log data (Internal/Confidential) | 2027-06-30 | Overdue (March 2026 — see R-012) | ISO 27001:2022 (verify) | High | R-012 — contract addendum required |
| Amazon Web Services | 1 | Production cloud hosting; SOC platform | Client data; Restricted configs | Rolling — AWS customer agreement | March 2025 | ISO 27001:2022; SOC 2 Type II | Medium | None |
| Microsoft (M365) | 1 | Email; collaboration; identity (Entra ID) | Employee PII; Internal documents | Rolling — MPSA | March 2025 | ISO 27001:2022; SOC 2 Type II | Medium | None |
| [HR SaaS Provider] | 1 | HR and payroll processing | Employee PII; salary; bank details | 2026-12-31 | October 2025 | ISO 27001:2022 | Medium | Enforce SSO — see R-006 |
| [Accounting SaaS] | 2 | Financial records; invoicing | Financial data (Confidential) | 2027-03-31 | January 2026 | SOC 2 Type I | Low | None |
| [Recruitment Platform] | 2 | Job advertising; applicant tracking | Applicant PII (names, CVs) | Rolling | Not reviewed — schedule due | Unknown | Medium | Schedule Tier 2 review |
6. Offboarding Procedure
When a supplier relationship ends (contract termination, non-renewal, or replacement), the following steps must be completed:
- Notify the supplier in writing that the contract is ending; confirm the data deletion deadline (30 days from contract end).
- Request data deletion confirmation in writing: the supplier must confirm that all organisational data has been securely deleted or returned; retain this confirmation.
- Revoke all access: IT Manager removes all API keys, credentials, VPN accounts, or system access granted to the supplier; confirm revocation in the Access Register.
- Update the Access Register: mark all supplier access entries as revoked with the date and IT Manager sign-off.
- Archive the contract: retain all contract documentation, security assessments, and correspondence for a minimum of 7 years.
- Update the Supplier Register: mark the supplier as offboarded with the offboarding date.
- ISM review: confirm that no residual access or data sharing exists before formally closing the supplier relationship.
7. Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue |