Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/supplier-onboarding-and-review-procedure.md
Normal file
83
03-procedures/supplier-onboarding-and-review-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Supplier Onboarding and Review Procedure
|
||||
Document ID: [PROC-SUPPLIER-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Supplier Onboarding and Review Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should assess, onboard, record, and review suppliers relevant to the ISMS scope.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to suppliers providing technology, hosting, support, development, data processing, operational, or other services that may affect security, resilience, or compliance.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure when:
|
||||
|
||||
- a new supplier is proposed
|
||||
- a supplier's role or service scope materially changes
|
||||
- periodic supplier review is due
|
||||
- a supplier incident or assurance concern triggers reassessment
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Record the proposed supplier, service description, owner, and business rationale.
|
||||
2. Determine the supplier's risk tier based on access, information handled, service criticality, deployment model, and dependency importance.
|
||||
3. Perform due diligence appropriate to the risk tier, including security, privacy, resilience, contractual, and shared-responsibility considerations.
|
||||
4. Review the due diligence outcome and identify any required contractual controls, remediation actions, or risk acceptance decisions.
|
||||
5. Obtain approval to onboard or continue using the supplier where required.
|
||||
6. Record the supplier in the approved register with ownership, status, review cadence, and assurance references.
|
||||
7. Perform periodic review and reassessment based on risk, incidents, material changes, or expired assurance evidence.
|
||||
8. Track remediation actions, exceptions, and reassessment outcomes to closure.
|
||||
|
||||
## Inputs
|
||||
|
||||
- supplier proposal
|
||||
- due diligence responses or evidence
|
||||
- service and dependency information
|
||||
- legal or contractual review input where applicable
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- supplier review record
|
||||
- onboarding or continuation decision
|
||||
- supplier register entry
|
||||
- remediation, exception, or risk records where applicable
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- Supplier owners must initiate and coordinate the review.
|
||||
- [Role] must oversee supplier security due diligence and review expectations.
|
||||
- Relevant stakeholders must support assessment and approval where applicable.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- a supplier is business-critical or handles sensitive information
|
||||
- assurance evidence is incomplete or materially outdated
|
||||
- contractual controls cannot be agreed
|
||||
- a supplier incident changes the risk profile materially
|
||||
|
||||
Exceptions must be documented and approved appropriately.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Supplier Security Policy
|
||||
- Supplier Due Diligence Standard
|
||||
- Risk Assessment Procedure
|
||||
- Supplier Register Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user