Our organisation relies on third-party providers to assist us in delivering services, not only to our customers, but also internally. They are crucial to meeting our business objectives, but can also introduce risks to our operational and data processing activities where they do not apply the same level of information security controls, and do not meet our requirements for capacity and availability. To ensure that we minimise risks associated with the use of third-parties, we must establish clearly defined relationships with them by leveraging a due diligence programme that includes SLAs, contracts, and supplier review activities.
Management is committed to ensuring our relationships with our third-parties are managed in line with our security requirements, and have developed and approved this supplier due diligence policy in line with the ISO 27001 standard for information security, and our organisation’s business requirements.
This document sets out the approved supplier due diligence policy so that it can be clearly communicated to all employees, contractors, and third-parties who have responsibilities for contracting and managing suppliers.
This policy shall apply to the management of all suppliers that have a role in operating and/or providing services that fall within the scope of our organisation’s ISMS. Services could include facilities management, cloud-services, web apps, software development, etc.
All employees, contractors, and third-parties who have responsibility for the procurement and management of suppliers and third-party services shall adhere to this Supplier Due Diligence Policy. These include, but are not limited to, the following roles:
- Senior management
- Department heads
- Line managers
- Asset owners
- Business owners
- Data protection managers
- Managed services providers
For the purposes of this document, employees, contractors, and third-parties who carry out these roles shall be collectively referred to as “supplier relationship managers”.
This Supplier Due Diligence Policy shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the policy. All contractors and third-parties involved in managing suppliers and third-party services on our behalf shall be provided with a copy of this policy as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this policy periodically, and following any changes.
Where a supplier relationship manager knowingly engages in a relationship with a third-party in breach of this Supplier Due Diligence Policy, they shall be subject to the disciplinary process documented in the Company Manual, or the applicable service contract.
Management is committed to the continual improvement of our Supplier Due Diligence Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation’s ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation.
Management also endeavours to plan our business operations so that our procurement and management of services is not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against misuses such as fraud, or creating situations where there is a conflict of interest, etc. Where a supplier relationship manager identifies potential conflicts or misuse due to improper planning and assignment of duties, they should raise their concern immediately with their line manager, or the ISMS Manager.
1. Choosing Suppliers
Our third-party providers frequently become our partners in the delivery of our business services, and supplier selection must therefore be done in a controlled way that minimises potential risks to our information systems and information. Our primary goal is to ensure a relationship of trust with our third-party providers, based on:
- Clear communication of our requirements from the procurement stage, and throughout the lifetime of the relationship.
- Appropriate and regular review and monitoring, based on the type of services provided and the potential associated risks.
- Open and collaborative engagement where both parties can communicate potential or ongoing issues that may impact the required services.
This section sets out our criteria for selecting suppliers.
1.1 Change Control
The procurement of a new service, or the change of an existing one, is a change in the way that we operate, and potentially a change to our information systems and the way we process information. Supplier relationship managers shall ensure that all such changes are raised in line with our Change Control Procedure
so that change managers can be assigned and properly assess the proposed new supplier, or change in service, and determine whether there is a clear business case, and how our organisation’s security and business requirements will be met.
The following shall be considered when assessing the change:
- The supplier’s ability to adhere to our information security policies.
- The supplier’s ability to deliver the service in line with relevant SLAs, including current and projected potential capacity requirements, where relevant.
- The supplier’s reliance on sub-processing or fourth-parties to deliver the service.
- Our existing contractual requirements, and the impact this change in supplier or provision of services may have on our ability to meet those requirements.
- Our legal and regulatory requirements, and the impact this change in supplier or provision of services may have on our ability to meet those requirements.
- What monitoring and review activities will be required to ensure that the third-party continues to meet our security and business requirements. This should be appropriate to the level of risk assigned to the operational and processing activities carried out.
Where there is an established procurement process in their area, supplier relationship managers shall ensure that the process is followed when engaging with a new contract for services, or amending an existing contract. All procurement processes involving third-party providers shall adhere to the security and business requirements set out in this document.
2. Information Security in Agreements
To ensure our requirements for information security and availability are clearly communicated, each supplier relationship shall be governed by an applicable supplier agreement. The level of controls identified for each agreement shall be appropriate to the level of risk associated with the service and/or processing activities that the third-party provider will be carrying out on our behalf.
Once the new or modified service and supplier has been assessed in line with our Change Control Procedure as required in section 1.1 of this document, supplier relationship managers shall ensure applicable controls are included in the agreement. This section sets out our required controls for supplier agreements. The controls documented below should not be considered exhaustive, and supplier relationship managers may identify other applicable controls.
All third-party providers must identify a nominated security contact in the supplier agreement. This will not only allow supplier relationship managers to quickly and easily raise security-related concerns to the supplier, but will facilitate the planning and scheduling of monitoring and review activities.
2.2 Information Security Policies & Procedures
- Supplier relationship managers shall ensure that all relevant and current information security policies and procedures are provided to third-party providers as part of the process for contracting services, and shall ensure that these are re-issued periodically, and following any changes.
- All provided information security policies and procedures shall be listed in the agreement, along with their date of issue. This will allow supplier relationship managers to quickly identify which documents have been provided, and if they are current.
- Third-party providers shall be required to acknowledge receipt of the documents in writing.
- Where third-parties have determined that they will adhere to their own information security policies and procedures, the third-party shall identify and provide their own corresponding documents. This will allow supplier relationship managers to identify any gaps or issues in policy alignment, and determine documentation for review as part of any monitoring and review activities.
2.3 Personal Data Protection Requirements
- The Data Protection Lead shall be consulted in line with our Change Control Procedure to ensure that all personal data processing requirements are identified.
- Where the third-party is processing personal data on behalf of our organisation, a contract for data processing shall be put in place that adheres to the applicable data protection laws. No personal data shall be transferred or processed without an agreement in place.
- Third-parties shall identify a Data Protection Officer or a Data Protection Manager in the agreement so that supplier relationship managers can quickly and easily escalate data processing queries such as personal data requests and potential personal data breach incidents, etc.
2.4 Legal & Regulatory Requirements
Legal and regulatory requirements that apply to the service or information processing activities being provided by the third-party may vary depending on the location, type of services being provided, and type of data being processed. For example, where card payment information is being processed, there may be a requirement for the third-party to comply with PCI-DSS. The following policies shall apply:
- Supplier relationship managers shall ensure that all supplier agreements are reviewed from a legal and regulatory perspective prior to being issued to the third-party provider.
- Supplier relationship managers shall ensure that all applicable legal and regulatory requirements are documented in the agreement.
- Third-party providers shall be required to acknowledge adherence to the applicable legal and regulatory requirements.
- Supplier relationship managers shall review agreements they are responsible for at regular intervals, and ensure the legal and regulatory requirements are reviewed and agreed with the third-party, as required.
2.5 Intellectual Property & Escrow
- Supplier relationship managers shall ensure that ownership for intellectual property is clearly documented in agreements with third-parties.
- Where necessary, supplier relationship managers shall ensure that provisions for placing source code into escrow are identified and documented in the agreement.
- Where third-parties provide software development services that may use our own software or code, supplier relationship managers shall ensure that agreements contain controls that prohibit the modification or reverse engineering of our software packages, unless absolutely required to fulfil the contract for services.
Supplier relationship managers shall ensure that all agreements they are responsible for contain suitable confidentiality and Non-Disclosure Agreements (NDAs). All data transferred to, and/or processed by, third-party providers must be protected from unauthorised disclosure.
2.7 Fourth-Parties & Supply Chain
- Third-party providers shall identify all fourth-parties they engage with for sub-processing and/or service delivery activities in agreements. Sub-contracted organisations can impact the supply chain, and the third-party provider’s ability to deliver the services required.
- Third-party providers shall acknowledge their responsibility for managing relevant fourth-parties in agreements.
- Third-party providers shall acknowledge that all applicable information security policies and procedures are communicated to fourth-parties.
2.8 Right to Audit
Supplier relationship managers shall ensure that the right to audit is included in agreements with third-party providers. The right to audit will include the necessary review and monitoring activities identified in line with section 1.1 of this document. Activities include, but may not be limited to:
- Vulnerability scanning
- Penetration testing
- Site visit and physical security audits
- Review of applicable information security policies and procedures at regular intervals
- Confirmation of the validity of any independent certifications held
- Engagement with and completion of required security questionnaires
- Provision and review of the results of any self-testing exercises such as service continuity testing, penetration testing, etc.
- Security awareness training programmes
2.9 Continuity of Services
- Supplier relationship managers shall ensure that the capacity and availability requirements identified in section 1.1 of this policy are documented in the agreement.
- Third-party providers shall acknowledge the agreed service levels by including an appropriate SLA in the agreement.
- Where third-party providers may be required to participate in our own business continuity and incident response testing exercises, supplier relationship managers shall ensure the requirement to participate is included in the agreement.
2.10 Retention of Third-Party Certification
In situations where a valid third-party certification has been provided in lieu of performing certain due diligence activities with a third-party provider, the third-party provider shall include the intention to maintain the certification in the agreement, and provide a copy of the most recent certificate.
Third-party providers shall provide assurance in agreements that the employees they contract to deliver the service are appropriately vetted and trained to perform the required work.
2.12 Agreement Termination
- Supplier relationship managers shall ensure that grounds for contract termination are included in the agreement. These should be appropriate to the risk level assigned to the service and/or associated information processing activities.
- Supplier relationship managers shall ensure a suitable duration for the agreement is set. Agreements shall not be valid for excessively long or short periods of time, but should be appropriate to the criticality of the service and assigned risk level. For example, a contract for facilities management may be valid for 3 years, but a contract to use a cloud-based payroll service may be valid for 1 year, and subject to quarterly review.
- Third-party providers shall acknowledge that all information provided to them by our organisation will be returned upon termination of the agreement, and shall also stipulate how the information will be returned.
3. Review & Monitoring
As mentioned in section 1.1 and section 2.8 of this document, appropriate review and monitoring activities should be identified to ensure that the third-party providers we engage with for services continue to meet their contractual obligations and adhere to our requirements for information security and availability.
The following policies for review and monitoring of third-party providers shall apply:
- The review and monitoring activities identified shall be appropriate to the level of risk assigned to the service and associated information processing activities.
- The review and monitoring activities identified shall not be excessive, and shall be planned in a way that does not disrupt the business operations of either party.
- Supplier relationship managers shall ensure that review meetings are held at regular intervals with the third-party providers they are responsible for. The frequency of review meetings shall be based on the level of risk assigned to the service and associated information processing activities.
- Supplier relationship managers shall ensure that all evidence of review and monitoring activities, such as meeting minutes, testing results, updated policies and procedures, security questionnaires, etc. are retained. Reviewing and monitoring activities should be captured using the Supplier Monitoring Activity Review, where appropriate.
- Supplier relationship managers shall review agreements with third-party providers at least annually to ensure that the agreement continues to meet our business and security requirements. Where potential changes are identified, these shall be raised with the third-party provider and the agreement updated, where possible. Agreement review activities should be captured using the Supplier Agreement Review, where appropriate.
- Where a change in agreement is required, or a third-party provider can no longer meet the requirements of an agreement, supplier relationship managers shall notify the ISMS Manager so that a risk assessment can be organised and performed in line with our Risk Management Process.
- Where review and monitoring activities show that a third-party provider is consistently failing to meet the agreed security and business requirements, the supplier relationship manager shall notify the ISMS Manager so that a risk assessment can be organised and performed in line with our Risk Management Process.
- Where the third-party is a cloud service provider that provides only standard terms and conditions and does not engage with individual monitoring and review activities, the requirements set out in section 4 this policy shall apply.
4. Cloud Services
Our organisation may choose to engage with third-party providers that provide their services as cloud-based SaaS, PaaS, and IaaS solutions. These services are frequently multi-tenant, and provide only subscription-based and/or on-demand agreements based on a standard set of terms and conditions. In these situations it may not be possible to establish individual agreements with the third-party providers which cover all of our information security and business requirements.
The following policies shall apply when a cloud-service provider does not offer individual agreement for services:
- The cloud-service provider shall be carefully assessed in line with our Change Control Procedure to determine if the service meets our security and business requirements, ensuring that any gaps are identified.
- Where the cloud-service provider uses a shared-responsibility model, it is important to understand what the provider is responsible for, and what our organisation is responsible for.
- For example, AWS provides identity access controls as a service, but it is the customer’s responsibility to ensure the controls are implemented and used in line with organisational security policy. The ISMS Manager shall assist in identifying responsibilities and required security controls for the service in line with our Risk Management Process.
- Supplier relationship managers shall ensure they subscribe to relevant news or update feeds for the cloud-service provider to remain informed of any service updates and changes to terms and conditions.
- The Data Protection Lead shall ensure that any processing of personal data complies with applicable data protection laws as part of our Change Control Procedure. Data shall not be transferred illegally.
- Supplier relationship managers shall ensure that all available information related to the security of the cloud service is reviewed, where available. Where third-party certification and audit reports are provided, these shall be reviewed to confirm the validity of the certification, and that the published scope of the certification includes the services provided to our organisation.
- Supplier relationship managers shall review agreement information, such as terms of service, subscriptions, and data processing agreements (DPAs), at regular intervals in line with section 3 above.
- Where use of the cloud-service provider is terminated, supplier relationship managers shall ensure that data is appropriately returned, exported, or deleted either prior to termination, or as part of the termination process.
- Supplier relationship managers shall confirm access to the service is removed following return, export, or deletion of the data.
5. Existing Suppliers
Our organisation may have engaged with a number of suppliers prior to the implementation of this Supplier Due Diligence Policy, and therefore these existing providers may not be contractually obligated to meet our requirements for information security. In this situation, the following policies shall apply:
- The third-party provider shall be risk assessed in line with our Risk Management Process to identify any gaps in current security controls.
- The supplier relationship manager shall engage with the third-party provider to determine if any identified gaps can be remediated, and if the current agreement can be updated to include the current security requirements.
- Where necessary, management may make the decision to ‘grandfather’ the service provider to make them exempt from this policy, and accept the associated risk. This shall be recorded in our Risk Register in line with our Risk Management Process.