Supplier policy

Summary

This policy describes rules and principles on how we manage supplier relationships in our organization.

The service manager and office manager are responsible to implement the policy.

Principles

  • The contract should contain our requirements for information security
    • Access to data and conditions
    • Service level agreement
    • Compliance to relevant Policies
    • KPIs should be added to Suppliers
  • If the supplier will process PII (personally identifiable information) on our behalf:
    • A data processing agreement (DPA) must be signed
    • The data should be located within the EU
    • There should have a privacy policy in which they adhere to GDPR
  • Suppliers should be assessed periodically, taking into account
    • Performance (are we happy with them?)
    • KPI performance (are they living up to the expectations?)
    • Recent incidents (where they a party in a recent information security incident?)