Doc owner: TBD
Vendor Management Policy
Seeded from legacy Allied Information Security Policy ("What we ask of partners" section). Content carried over for review. The legacy doc covers initial onboarding only; ongoing review, contractual security requirements, offboarding, and the vendor register all need drafting.
Purpose
To ensure information security risks introduced by third-party suppliers and service providers are identified, assessed, and managed throughout the supplier lifecycle.
Scope
Applies to all third parties that handle Allied information or have access to Allied systems, including cloud and SaaS providers.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| TBD (policy owner) | Maintains the vendor register and review process |
| Service owners | Conduct due diligence and ongoing review for vendors they engage |
What we ask of partners
We and our partners will invariably be more comfortable and better able to comply with best practice if we share a common understanding of how and why we should protect information. As a part of any new business relationship with a third party (non-government) company, the lead Allied person should:
- Highlight any sensitive information when referenced and explicitly direct any associated handling caveats.
- Include an agreement on compliance with these or equivalent standards as a feature of any commercial/contractual relationship.
- Make the company aware of government information handling markings and practices (UK Government Security Classifications).
- Encourage compliance with and conversation around good security practices.
Policy statements
TBD — gap analysis to add: vendor register, risk-tiered due diligence, contractual security clauses, ongoing review cadence, offboarding (data return / deletion), notification of vendor breaches.
Related
- Supply Chain Policy — physical-supply suppliers
- ISO 27001:2022 Annex A.5.19–A.5.23