Supplier Management Policy

Suppliers and service providers introduce varying degrees of risk depending on their role and access.

To maintain information security throughout the supply chain.

This policy applies to all suppliers and service providers.


  • An inventory of all suppliers shall be maintained.
  • All suppliers shall be screened, risk assessed and authorised.
  • All suppliers shall be subject to contract including information security requirements.
  • Agreements should address data processing, protection, and transfer.
  • All supplier contracts shall propagate security requirements to their suppliers.
  • All critical service providers shall be regularly reviewed to ensure compliance with agreed service levels and security requirements.
  • Suppliers should be given temporary, least-privilege, monitored access to network infrastructure if required.
  • Changes to supplier services shall be assessed, documented and approved.

Access control policy
Data protection policy