What can we help you with?

Suppliers Overview

  • With respect to Suppliers you will need to be in control of a number of topics: 

    • You will need to have an overview of all your suppliers 
    • There needs to be an assigned owner to each supplier 
    • You will need to know basic legal information of your suppliers  
    • You will need to be in control of the contract with suppliers 
    • You will need to review all the contracts on security and business continuity issues 
    • You will need to determine if suppliers have access to your application and SW Tools 
    • You will need to determine if suppliers have access to data and what type of data 
    • You will need to know if suppliers are involved in security procedures 
    • You will need to classify your suppliers and set classification criteria 
    • On a yearly basis, you will need to assess all supplier information 
    • On a yearly basis, you will need to assess the high-risk suppliers 
    • You will need to have a suppliers procedure in place that describes the selection, review, and off-boarding process 

Suppliers are a key element in your ISMS, without knowing you probably will have already 20 suppliers when you start building your ISMS. The Suppliers Overview is always a complex topic. The time that will take you to complete this section will soon pay off – as with this exercise you have just performed your first suppliers assessment, and this will make you aware of the risks that certain suppliers will have on your business. 

    • We grouped the information about your supplier into 3 topics: 

      • General 
      • Compliance 
      • Risk Profile 

      Be careful adding and naming suppliers, once you have added a new supplier and named it, you will not be able to change the name of the supplier again.  

      Below are some tips: 

      General 

      • There are all kinds of suppliers, that is why we have created a dropdown list for Profiles. 
      • TechTools are e.g. all the tooling that your development/product team is using. By adding a profile you can do easy search in the overview. Make sure you list all paid and free tools you use, all of them may have security or business continuity risks. 
      • Do not forget all Marketing Tools, especially the ones that are used for monitoring your product (e.g. Hotjar). 
      • Cloud Providers are not TechTools (e.g. AWS, Azure etc.) 
      • Business Services can be non-tech and might have no security risk, however, they might have business continuity risks, so list them as well. 
      • Do not forget the HR tooling (e.g. for recruitment or administration) 
      • Other examples of suppliers: Compleye, Co-Working spaces, if you are a ‘spin-off company’ – your mother-company probably delivers services and is also a supplier.  
      • List all your suppliers, it is our experience that if you review this on a yearly base you will probably discover some tooling/services that are not in use anymore, in the heat of the business you did not close the account or sign out.  
      • If Suppliers have access to Software you are using you will need to tick the box ‘is part of Software Access’. By ticking the box, the supplier will appear in section Access Management as an option.  
      • There is a possibility to add contracts and add runtime of contracts, this is especially important for high-risk suppliers, as you will need to assess all contracts on a yearly basis.  

      Compliance 

      • Compliance information you can find on the website of the Supplier. If there is no search function, take a look at the bottom of the website – most security and compliance information pages are listed there. 
      • If you cannot find any information on the website, first classify high level if the supplier is a security risk. If not… then first start with the Risk Profile and probably you will score them low and compliance info is less important. However, perhaps an NDA might be applicable.  
      • For high-risk suppliers, it would be very practical if the supplier is ISO27001 certified, that will make supplier assessment a bit easier. This can also become part of your supplier selection criteria – for certain jobs you will only select ISO27001 certified partners.  
      • If there is a Data Process Agreement in place, you will need to add them to the section Legal & Compliance / GDPR /DPA Overview. For your DPO (and GDPR assessment) that is way more efficient. 
      • Make sure if there are NDA’s, SLA in place to add them to this section. And add more info if needed.  

      Risk Profile 

      • You will need to classify your suppliers and therefore you will need to set up risk criteria. This information can be stored in the Procedure/Info section of Suppliers Overview – because you will use the same criteria for all suppliers. We created a link above the risks, so you can check, before adding a profile.  
      • To help you, we have defined risk criteria that you can use (below table). You can copy this information into the Procedure / Info section. Customize, if needed.  
        Low  Medium  High 
      Information security  The supplier has no access to end-user data or source code  Supplier only has access to metadata on end-users and/or source code  The supplier has access to the end-user data (including personal data) and/or to the IT infrastructure  
      Business Continuity  In the event of a supply interruption switching to a comparable service is relatively easy  A supply interruption causes short-term problems within important business processes  A supply interruption causes mid-term to long term problems within important business processes 
      • Once you have defined and approved your supplier management procedure, you can add a copy to this section as well. To have all information in 1 place.  
      • Quality Risks are not a mandatory topic for ISMS.

        The next 4 check boxes will be addressed in a later stage: 

      • Part of outsourced ISO27001 jobs (Statement of Applicability) 
      • Stakeholder in access management overview (Certification Process) 
      • Access to restricted data (Data Classification) 
      • Involved in security procedures (Policies & Procedures) 

GENERAL 
Field Name  Value  Example 
Name  Free text field  Compleye 
Owner   Select owner from a drop-down menu function.   [Name team member] 
Status  Select status from a drop-down menu, options are Active or Inactive.   Active 
Profile  Select a business profile from a drop-down menu, options are: Business Services Provider MarCom Office Tools Project Management Tools Third-Party Data Provider Documentation Storage Other   Business Services 
Supplier Headquarter  Indicate suppliers’ headquarter in a free text format.   Amsterdam, The Netherlands 
Jurisdiction of Supplier  Indicate supplier’s country of residence in a free text format.   Amsterdam 
Type of Contract  Indicate contract type in a free text format.   Paid Subscription 
Date of Contract  Select a date using an embedded calendar.   [date picker] 
+Upload Document    [Upload the confirmation of Assignment] 
Run Time  Specify service run time in a free format text.   1 year 
Used Since  Select a date using an embedded calendar.   [date picker] 
Closed Since  Select a date using an embedded calendar.   – 
Main Contact   Indicate the main contact in a free text format.   Karolin Kruiskamp 
Contact Details  Indicate contact details in a free text format.   info@compleye.io 

Field Name  Value  Example / tips 
Terms & conditions available   Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.   [selection] 
GDPR policy in place   Select the checkbox to indicate an affirmative choice.    [some suppliers have specific GDPR policies or statements available, most of them are available on the website of the supplier] 
NDA/Confidentiality agreement signed   Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.   [selection] 
Data process agreement  Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.   [if yes, add the DPA in the DPA overview under Section Legal & Compliance – GDPR]  
Software license agreement   Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.   [selection, if yes add the SLA to this section] 
Certifications  Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.   [check on the website what kind of certifications are more in place .. e.g. ISO9001, SOC-2, etc.] 
Extra Info  Include any additional information, if available.   [what ever info you think might be valuable – and use this section also for notes if there are changes] 
Upload Document  Upload relevant documents, if available.     

Field Name  Value  Example 
Risk Criteria  Include prescribed risk criteria in a free text format.   [Use the content in Wiki as an example, adjust if needed, and add to the Criteria info box in Procedure/Info section] 
Information Security Risk  Select determined risk profile from a drop-down menu, options are Low, Medium, High.   Low 
Business Continuity   Select determined risk profile from drop-down menu options are Low, Medium, High.   Medium 
Upload Document  Upload relevant document, if available.    
Part of Outsourced ISO27001  Select the checkbox to indicate an affirmative choice.   
Stakeholder in Access Management Overview  Checkbox combined with Descriptive Free Text.  
Access to Restricted Data Resources Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.  
Involved in Security Procedure  Select the checkbox to indicate an affirmative choice. If required, include additional information in a free text format.  
Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.