Title: Supplier Due Diligence Standard
Document ID: [STD-SUPPLIER-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CISO (Paul Jenkins)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Supplier Due Diligence Standard

## Purpose

This standard defines the minimum due diligence requirements for onboarding and reviewing suppliers that may affect information security, service delivery, or compliance obligations.

## Scope

This standard applies to suppliers, service providers, subprocessors, hosting providers, development partners, and other third parties relevant to the ISMS scope.

## Mandatory Requirements

Suppliers that support in-scope services or handle relevant information must be assessed before onboarding to a level proportionate to their risk and criticality.

Due diligence must consider the nature of the service, access level, information handled, dependency criticality, deployment model, and relevant legal or contractual obligations.

Material suppliers must have a defined owner within BlackDice responsible for coordinating review and ongoing oversight.

Security, privacy, resilience, and notification expectations should be addressed through contractual terms or other approved mechanisms where appropriate.

Supplier assurance information relied upon for risk decisions must be reviewed for relevance, scope, and currency.

Changes in supplier service model, ownership, control environment, or incident history that may materially affect risk must trigger reassessment.

Supplier review outcomes, decisions, and follow-up actions must be recorded in an auditable manner.

## Implementation Guidance

BlackDice should tier suppliers so that deeper review is focused on those with greater operational importance, access, or information sensitivity.

Due diligence may include questionnaires, assurance reports, certifications, contract review, architectural review, incident history, and dependency analysis as appropriate.

For cloud providers and operator-hosted deployment models, due diligence should explicitly consider shared-responsibility boundaries and operational dependencies.

Where a supplier cannot meet all requirements, compensating control, contractual mitigation, planned remediation, or formal risk acceptance should be considered.

## Roles and Responsibilities

- [Role] must define supplier due diligence expectations.
- Supplier owners must complete or coordinate required due diligence and review.
- Procurement, legal, security, privacy, and operational stakeholders must support assessment where relevant.

## Exceptions

Exceptions must be documented, justified, risk-assessed, approved, and reviewed through the defined process.

## Related Documents

- Supplier Security Policy
- Privacy and Data Protection Policy
- Supplier Onboarding and Review Procedure
- Supplier Register Template

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |