/
Information Security Policy for Supplier Relationships

Information Security Policy for Supplier Relationships

Owned by Nick Daly
Oct 04, 2023
2 min read

  1. Introduction:

    1. Purpose: The purpose of this policy is to outline the minimum security requirements for supplier relationships to ensure the confidentiality, integrity, and availability of client data processed by the company, in line with the ISO/IEC 27001 standard.

    2. Scope: This policy applies to all suppliers providing services or products to the company, including sub-contractors, consultants, and third-party service providers.

 

  1. Information Security Requirements:

    1. Confidentiality: Suppliers must maintain the confidentiality of client data and ensure that it is only accessible to authorized individuals for legitimate business purposes in accordance with the company's information classification and handling policy.

    2. Integrity: Suppliers must ensure the accuracy and completeness of client data, prevent unauthorized changes, and implement appropriate data backup and recovery procedures.

    3. Availability: Suppliers must ensure that client data is available and accessible to authorized individuals as required for business operations, and implement appropriate disaster recovery procedures.

 

  1. Security Measures:

    1. Access Control: Suppliers must implement appropriate access controls to ensure that only authorized individuals can access client data, including identification, authentication, and authorization procedures.

    2. Data Encryption: Suppliers must encrypt client data in transit and at rest to protect it from unauthorized access, in accordance with the company's encryption policy.

    3. Backup and Recovery: Suppliers must implement a backup and recovery plan to ensure that client data can be restored in the event of a disaster, in accordance with the company's backup and recovery policy.

    4. Incident Response: Suppliers must have a documented incident response plan in place to respond to security incidents and minimize the impact on client data, in accordance with the company's incident response policy.

 

  1. Compliance:

    1. Audits: The company may conduct audits of suppliers to ensure compliance with this policy, in accordance with the company's internal audit policy.

    2. Remediation: Suppliers must take remedial action to address any non-compliance issues identified during an audit, in accordance with the company's non-conformance policy.

    3. Termination: The company may terminate its relationship with a supplier if it fails to comply with this policy.

  2. Enforcement and Audit: 

    1. Compliance Monitoring: The company will monitor supplier compliance with this policy on an ongoing basis, including through regular audits and assessments.

    2. Enforcement: The company may take enforcement action, including termination of the relationship with a supplier, if it fails to comply with this policy. 

    3. Audit Records: Suppliers must maintain records of their compliance with this policy, and these records must be made available for review during audits conducted by the company.

 

  1. Responsibility:

    1. Suppliers are responsible for ensuring that their employees and sub-contractors comply with this policy.

    2. The company is responsible for monitoring supplier compliance with this policy, in accordance with the company's supplier management policy. 

Related content