1.6 KiB
1.6 KiB
Supplier Assurance Guidance
Purpose
This guidance note helps supplier owners and reviewers apply the supplier security documents in a proportionate way.
Focus On Material Suppliers
Not every supplier needs the same depth of review. More attention should be given to suppliers that:
- host or process important BlackDice data
- support production service delivery
- have privileged access
- affect resilience or customer commitments
- operate as subprocessors or critical dependencies
Questions To Ask During Review
Useful supplier review questions often include:
- what service is actually being provided
- what information is handled
- what access is granted
- what happens if the supplier fails
- what evidence exists for security and resilience
- what notification obligations apply
Shared Responsibility
For cloud and managed platforms, supplier review should not stop at "provider is certified". The practical question is which controls remain with BlackDice and which are delivered by the supplier.
That matters most for:
- identity and access
- configuration
- logging
- backup and recovery
- incident handling
- data location and retention
When To Reassess
Reassessment should be triggered when:
- the supplier's role expands
- the deployment model changes
- a major incident occurs
- assurance evidence becomes stale
- customer or regulatory expectations change
Related Documents
../../01-policies/supplier-security-policy.md../../02-standards/supplier-due-diligence-standard.md../../03-procedures/supplier-onboarding-and-review-procedure.md../../04-registers/supplier-register-template.md