Supplier Management Policy

Introduction
Suppliers and service providers introduce varying degrees of risk depending on their role and access.

Objective
To maintain information security throughout the supply chain.

Scope
This policy applies to all suppliers and service providers.

Policy

• An inventory of all suppliers shall be maintained.
• All suppliers shall be screened, risk assessed and authorised.
• All suppliers shall be subject to contract including information security requirements.
• Agreements should address data processing, protection, and transfer.
• All supplier contracts shall propagate security requirements to their suppliers.
• All critical service providers shall be regularly reviewed to ensure compliance with agreed service levels and security requirements.
• Suppliers should be given temporary, least-privilege, monitored access to network infrastructure if required.
• Changes to supplier services shall be assessed, documented and approved.

References
Access control policy
Data protection policy