Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Vendor Management Policy

Seeded from legacy Allied Information Security Policy ("What we ask of partners" section). Content carried over for review. The legacy doc covers initial onboarding only; ongoing review, contractual security requirements, offboarding, and the vendor register all need drafting.

Purpose

To ensure information security risks introduced by third-party suppliers and service providers are identified, assessed, and managed throughout the supplier lifecycle.

Scope

Applies to all third parties that handle Allied information or have access to Allied systems, including cloud and SaaS providers.

Roles and responsibilities

RoleResponsibility
TBD (policy owner)Maintains the vendor register and review process
Service ownersConduct due diligence and ongoing review for vendors they engage

What we ask of partners

We and our partners will invariably be more comfortable and better able to comply with best practice if we share a common understanding of how and why we should protect information. As a part of any new business relationship with a third party (non-government) company, the lead Allied person should:

  • Highlight any sensitive information when referenced and explicitly direct any associated handling caveats.
  • Include an agreement on compliance with these or equivalent standards as a feature of any commercial/contractual relationship.
  • Make the company aware of government information handling markings and practices (UK Government Security Classifications).
  • Encourage compliance with and conversation around good security practices.

Policy statements

TBD — gap analysis to add: vendor register, risk-tiered due diligence, contractual security clauses, ongoing review cadence, offboarding (data return / deletion), notification of vendor breaches.