Initial commit

05-guidance/supplier-assurance-guidance.md

@@ -0,0 +1,56 @@
+# Supplier Assurance Guidance
+
+## Purpose
+
+This guidance note helps supplier owners and reviewers apply the supplier security documents in a proportionate way.
+
+## Focus On Material Suppliers
+
+Not every supplier needs the same depth of review. More attention should be given to suppliers that:
+
+- host or process important BlackDice data
+- support production service delivery
+- have privileged access
+- affect resilience or customer commitments
+- operate as subprocessors or critical dependencies
+
+## Questions To Ask During Review
+
+Useful supplier review questions often include:
+
+- what service is actually being provided
+- what information is handled
+- what access is granted
+- what happens if the supplier fails
+- what evidence exists for security and resilience
+- what notification obligations apply
+
+## Shared Responsibility
+
+For cloud and managed platforms, supplier review should not stop at "provider is certified". The practical question is which controls remain with BlackDice and which are delivered by the supplier.
+
+That matters most for:
+
+- identity and access
+- configuration
+- logging
+- backup and recovery
+- incident handling
+- data location and retention
+
+## When To Reassess
+
+Reassessment should be triggered when:
+
+- the supplier's role expands
+- the deployment model changes
+- a major incident occurs
+- assurance evidence becomes stale
+- customer or regulatory expectations change
+
+## Related Documents
+
+- `../../01-policies/supplier-security-policy.md`
+- `../../02-standards/supplier-due-diligence-standard.md`
+- `../../03-procedures/supplier-onboarding-and-review-procedure.md`
+- `../../04-registers/supplier-register-template.md`