Specifies the controls that need to be applied to all suppliers who can compromise the security of Servana’s information assets.
This sub-policy does not apply to services supplied by individuals under the terms of an employment contract issued by Servana.
Role | Responsibility |
Directors | To maintain an Approved Suppliers Register |
Directors | To ensure that all suppliers are provided with up-to-date copies of Servana’s policies and procedures that are relevant to them |
Directors | To ensure that the information security controls specified in the Supply of Goods and Services Agreement are audited as per this Policy |
Directors | To ensure supplier assessments and audits are conducted as per the Approved Suppliers Register and / or Internal Audit Plan |
All suppliers will be allocated a risk rating, derived from their importance and / or the value (personal, commercial) of information they will process. The use of any supplier who will be sub-processing information controlled or processed by Servana must be approved prior to use:
High risk suppliers must be approved by both the Managing Director and Director
Medium risk suppliers must be approved by either the Managing Director or Director
Low risk suppliers must be approved by either the Managing Director or Director
The use of all suppliers undertaking processing of personal information on behalf of Servana learning must be done in accordance with the Protection of Personal Information Policy.
Up-to-date records relating to the status of information about supplier security controls must be maintained in the Approved Suppliers Register.
All information security risks identified that relate to the use of suppliers must be assessed and recorded in the Asset and Risk Assessment Register in accordance with the Information Asset and Risk Management Procedure.
Where categorised as high or medium risk, suppliers must not deliver goods or services that are not covered within the scope of a current supply of goods and services agreement (or equivalent document). The current supply of goods and services agreement must include the following information:
The scope of goods and services supplied by the supplier covered by the agreement
The obligations of the supplier to protect Servana’s information assets in respect of availability, integrity, and confidentiality
The obligations of the supplier to comply with Servana’s Information Security Policy and relevant processes, policies, and procedures in its ISMS, including acknowledgement of documents supplied by Servana
The minimum information security controls implemented and maintained by suppliers to protect Servana’s information assets and the arrangements for monitoring their effectiveness
The arrangements for reporting and managing security incidents, as per the Security Incident Management Procedure
The arrangements for managing changes to any assets, as per the Change Control Procedure
The contact names of the persons employed by Servana and suppliers with responsibility for information security
The defect resolution and conflict resolution processes.
The information security controls detailed above should include the following considerations:
Subcontracting of the supply of goods and services by the suppliers to third parties
Access control to Servana’s assets by suppliers, employees, and subcontractors
Resilience, recovery, and contingency arrangements to ensure the availability of any assets including any information processing facilities provided by suppliers and / or Servana
Accuracy and completeness controls to ensure the integrity of the assets, information or information processing equipment/facilities provided by suppliers and / or Servana
Processes and / or procedures for transferring information and / or information processing facilities between suppliers, Servana and other third parties
Awareness training for suppliers’ employees and subcontractors
Any legal and regulatory requirements, including information protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met
Supplier obligation to periodically deliver an independent report on the effectiveness of controls.
All suppliers on the Approved Suppliers Register are subject to assessment and / or audit.
Assessments will be conducted by the Directors – both at first use of a (potential) supplier and then at intervals as defined on the Approved Suppliers Register.
Internal Audits will be conducted by an Internal Auditor (as per the Internal Audit Procedure).
The performance of all suppliers, together with results of assessments and audits should be reviewed at management reviews