Supplier Due Diligence Policy

Purpose

Our organisation relies on third-party providers to assist us in delivering services, not only to our customers, but also internally. They are crucial to meeting our business objectives, but can also introduce risks to our operational and data processing activities where they do not apply the same level of information security controls, and do not meet our requirements for capacity and availability. To ensure that we minimise risks associated with the use of third-parties, we must establish clearly defined relationships with them by leveraging a due diligence programme that includes SLAs, contracts, and supplier review activities.

Management is committed to ensuring our relationships with our third-parties are managed in line with our security requirements, and have developed and approved this supplier due diligence policy in line with the ISO 27001 standard for information security, and our organisation’s business requirements.

This document sets out the approved supplier due diligence policy so that it can be clearly communicated to all employees, contractors, and third-parties who have responsibilities for contracting and managing suppliers.

Scope

This policy shall apply to the management of all suppliers that have a role in operating and/or providing services that fall within the scope of our organisation’s ISMS. Services could include facilities management, cloud-services, web apps, software development, etc.

Audience

All employees, contractors, and third-parties who have responsibility for the procurement and management of suppliers and third-party services shall adhere to this Supplier Due Diligence Policy. These include, but are not limited to, the following roles:

For the purposes of this document, employees, contractors, and third-parties who carry out these roles shall be collectively referred to as “supplier relationship managers”.

Communication

This Supplier Due Diligence Policy shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the policy. All contractors and third-parties involved in managing suppliers and third-party services on our behalf shall be provided with a copy of this policy as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this policy periodically, and following any changes.

Disciplinary Process

Where a supplier relationship manager knowingly engages in a relationship with a third-party in breach of this Supplier Due Diligence Policy, they shall be subject to the disciplinary process documented in the Company Manual, or the applicable service contract.

Improvement

Management is committed to the continual improvement of our Supplier Due Diligence Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation’s ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation.

Management also endeavours to plan our business operations so that our procurement and management of services is not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against misuses such as fraud, or creating situations where there is a conflict of interest, etc. Where a supplier relationship manager identifies potential conflicts or misuse due to improper planning and assignment of duties, they should raise their concern immediately with their line manager, or the ISMS Manager.

1. Choosing Suppliers

Our third-party providers frequently become our partners in the delivery of our business services, and supplier selection must therefore be done in a controlled way that minimises potential risks to our information systems and information. Our primary goal is to ensure a relationship of trust with our third-party providers, based on:

  1. Clear communication of our requirements from the procurement stage, and throughout the lifetime of the relationship.
  2. Appropriate and regular review and monitoring, based on the type of services provided and the potential associated risks.
  3. Open and collaborative engagement where both parties can communicate potential or ongoing issues that may impact the required services.

This section sets out our criteria for selecting suppliers.

1.1 Change Control

The procurement of a new service, or the change of an existing one, is a change in the way that we operate, and potentially a change to our information systems and the way we process information. Supplier relationship managers shall ensure that all such changes are raised in line with our Change Control Procedure

so that change managers can be assigned and properly assess the proposed new supplier, or change in service, and determine whether there is a clear business case, and how our organisation’s security and business requirements will be met.

The following shall be considered when assessing the change:

1.2 Procurement

Where there is an established procurement process in their area, supplier relationship managers shall ensure that the process is followed when engaging with a new contract for services, or amending an existing contract. All procurement processes involving third-party providers shall adhere to the security and business requirements set out in this document.

2. Information Security in Agreements

To ensure our requirements for information security and availability are clearly communicated, each supplier relationship shall be governed by an applicable supplier agreement. The level of controls identified for each agreement shall be appropriate to the level of risk associated with the service and/or processing activities that the third-party provider will be carrying out on our behalf.

Once the new or modified service and supplier has been assessed in line with our Change Control Procedure as required in section 1.1 of this document, supplier relationship managers shall ensure applicable controls are included in the agreement. This section sets out our required controls for supplier agreements. The controls documented below should not be considered exhaustive, and supplier relationship managers may identify other applicable controls.

2.1 Communication

All third-party providers must identify a nominated security contact in the supplier agreement. This will not only allow supplier relationship managers to quickly and easily raise security-related concerns to the supplier, but will facilitate the planning and scheduling of monitoring and review activities.

2.2 Information Security Policies & Procedures

2.3 Personal Data Protection Requirements

2.4 Legal & Regulatory Requirements

Legal and regulatory requirements that apply to the service or information processing activities being provided by the third-party may vary depending on the location, type of services being provided, and type of data being processed. For example, where card payment information is being processed, there may be a requirement for the third-party to comply with PCI-DSS. The following policies shall apply:

2.5 Intellectual Property & Escrow

2.6 Confidentiality

Supplier relationship managers shall ensure that all agreements they are responsible for contain suitable confidentiality and Non-Disclosure Agreements (NDAs). All data transferred to, and/or processed by, third-party providers must be protected from unauthorised disclosure.

2.7 Fourth-Parties & Supply Chain

2.8 Right to Audit

Supplier relationship managers shall ensure that the right to audit is included in agreements with third-party providers. The right to audit will include the necessary review and monitoring activities identified in line with section 1.1 of this document. Activities include, but may not be limited to:

2.9 Continuity of Services

2.10 Retention of Third-Party Certification

In situations where a valid third-party certification has been provided in lieu of performing certain due diligence activities with a third-party provider, the third-party provider shall include the intention to maintain the certification in the agreement, and provide a copy of the most recent certificate.

2.11 Training

Third-party providers shall provide assurance in agreements that the employees they contract to deliver the service are appropriately vetted and trained to perform the required work.

2.12 Agreement Termination

3. Review & Monitoring

As mentioned in section 1.1 and section 2.8 of this document, appropriate review and monitoring activities should be identified to ensure that the third-party providers we engage with for services continue to meet their contractual obligations and adhere to our requirements for information security and availability.

The following policies for review and monitoring of third-party providers shall apply:

4. Cloud Services

Our organisation may choose to engage with third-party providers that provide their services as cloud-based SaaS, PaaS, and IaaS solutions. These services are frequently multi-tenant, and provide only subscription-based and/or on-demand agreements based on a standard set of terms and conditions. In these situations it may not be possible to establish individual agreements with the third-party providers which cover all of our information security and business requirements.

The following policies shall apply when a cloud-service provider does not offer individual agreement for services:

5. Existing Suppliers

Our organisation may have engaged with a number of suppliers prior to the implementation of this Supplier Due Diligence Policy, and therefore these existing providers may not be contractually obligated to meet our requirements for information security. In this situation, the following policies shall apply: