84 lines
2.9 KiB
Markdown
84 lines
2.9 KiB
Markdown
Title: Supplier Onboarding and Review Procedure
|
|
Document ID: [PROC-SUPPLIER-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Supplier Onboarding and Review Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should assess, onboard, record, and review suppliers relevant to the ISMS scope.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to suppliers providing technology, hosting, support, development, data processing, operational, or other services that may affect security, resilience, or compliance.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure when:
|
|
|
|
- a new supplier is proposed
|
|
- a supplier's role or service scope materially changes
|
|
- periodic supplier review is due
|
|
- a supplier incident or assurance concern triggers reassessment
|
|
|
|
## Procedure Steps
|
|
|
|
1. Record the proposed supplier, service description, owner, and business rationale.
|
|
2. Determine the supplier's risk tier based on access, information handled, service criticality, deployment model, and dependency importance.
|
|
3. Perform due diligence appropriate to the risk tier, including security, privacy, resilience, contractual, and shared-responsibility considerations.
|
|
4. Review the due diligence outcome and identify any required contractual controls, remediation actions, or risk acceptance decisions.
|
|
5. Obtain approval to onboard or continue using the supplier where required.
|
|
6. Record the supplier in the approved register with ownership, status, review cadence, and assurance references.
|
|
7. Perform periodic review and reassessment based on risk, incidents, material changes, or expired assurance evidence.
|
|
8. Track remediation actions, exceptions, and reassessment outcomes to closure.
|
|
|
|
## Inputs
|
|
|
|
- supplier proposal
|
|
- due diligence responses or evidence
|
|
- service and dependency information
|
|
- legal or contractual review input where applicable
|
|
|
|
## Outputs / Records
|
|
|
|
- supplier review record
|
|
- onboarding or continuation decision
|
|
- supplier register entry
|
|
- remediation, exception, or risk records where applicable
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- Supplier owners must initiate and coordinate the review.
|
|
- [Role] must oversee supplier security due diligence and review expectations.
|
|
- Relevant stakeholders must support assessment and approval where applicable.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- a supplier is business-critical or handles sensitive information
|
|
- assurance evidence is incomplete or materially outdated
|
|
- contractual controls cannot be agreed
|
|
- a supplier incident changes the risk profile materially
|
|
|
|
Exceptions must be documented and approved appropriately.
|
|
|
|
## Related Documents
|
|
|
|
- Supplier Security Policy
|
|
- Supplier Due Diligence Standard
|
|
- Risk Assessment Procedure
|
|
- Supplier Register Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|