Title: Supplier Security Policy
Document ID: [POL-SUPPLIER-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CEO (Paul Hague)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Supplier Security Policy

## Purpose

This policy defines BlackDice's requirements for assessing and managing information security risk arising from suppliers and third-party service providers.

## Scope

This policy applies to suppliers that provide technology, hosting, development support, operational services, data processing, or other services relevant to the ISMS scope.

## Objectives

- manage supplier-related security and resilience risk
- ensure supplier controls are proportionate to service criticality and information sensitivity
- support ongoing oversight of important third-party relationships

## Principles / Policy Statements

Suppliers must be assessed for information security risk before onboarding where they support in-scope services or handle relevant information.

The level of due diligence, contracting, and ongoing review must reflect the supplier's role, access, criticality, and risk.

Shared responsibility boundaries with cloud providers, operator-hosted environments, and specialist security or telemetry providers must be understood and documented.

Supplier arrangements should define relevant security expectations, notification obligations, and rights of review or assurance where appropriate.

Material supplier changes, incidents, or control concerns must trigger reassessment.

## Roles and Responsibilities

- [Role] must oversee the supplier security framework.
- Supplier owners must ensure due diligence and review activities are completed.
- Procurement, legal, and operational stakeholders must support security review where applicable.

## Compliance / Exceptions

Onboarding or continued use of a supplier without required review must be risk-assessed and approved as an exception where unavoidable.

## Monitoring and Review

This policy should be monitored through supplier reviews, assurance evidence, incidents, contract changes, and audit.

## Related Documents

- Information Security Policy
- Supplier Due Diligence Standard
- Supplier Onboarding and Review Procedure
- Supplier Register Template

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |