Item | Value |
Organization | Information Dynamics |
Document Name | Supplier Management Policy |
Classification | Internal |
Compliance Reference | ISO 27001:2013 and ISO 20000:2011 |
Date | Version | Prepared By |
29th OCT 2019 | 1.0 | Information Dynamics |
20th Oct 2020 | 1.1 | Saravanan & Rupesh |
20th Oct 2021 | 1.2 | Saravanan & Rupesh |
22th Dec 2022 | 1.3 | Saravanan & Rupesh |
Reviewed By | Version | Date | Signature |
Linda | 1.0 | 29-Dec-2019 | |
Linda | 1.1 | 22-Oct 2020 | |
Linda | 1.2 | 22-Oct 2021 | |
Linda | 1.3 | 22-Dec 2022 |
Table of Contents
The objective of this policy is to define and implement the appropriate level of information security measures while dealing with external vendors and contractors to protect information resources of Information Dynamics’.
ISO 27001:2013 Domain Reference: A.15 Supplier Relationships
ISO 27001:2013 Reference | |
A.15.1.1 | Information security policy for supplier relationships |
A.15.1.2 | Addressing security within supplier agreements |
A.15.1.3 | Information and communication technology supply chain |
A.15.2.1 | Monitoring and review of supplier services |
A.15.2.1 | Managing changes to supplier services |
ISO 20000:2011 Domain Reference:7.3- Supplier Management
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
The Admin department shall follow the Information Dynamics’ procurement process.
Due diligence shall be exercised while evaluating External Parties services to ensure accuracy of their claimed qualifications and successful delivery of contractual obligations.
Admin department in coordination with Project manager shall ensure that contractual agreements in terms of legal, business and technical requirements are negotiated and agreed with the suppliers, before commencing the project
The Information Security Manager shall ensure that the periodic information security risk assessment identifies potential Suppliers risks that could compromise the Confidentiality, Integrity & Availability of Information & information processing facilities.
Project Manager in coordination with Information Security Manager shall identify any additional information security risk specific to the project.
The analysis of risks related to supplier’s access to information and information processing facilities shall consider the following:
Possible impacts to the controls of the information processing facilities;
The classification of the information assets;
Processes for identifying, authenticating, authorizing and reviewing access rights of the External Parties; and
Security controls that are in place to control storing, processing, communicating, sharing or exchanging information.
Training requirements for organizations personnel involved in contractual relationship with the suppliers.
All risks identified shall be appropriately addressed through risks mitigation measures.
Wherever required, information security requirements and controls shall be documented in an agreement and signed by both the parties.
Based on the criticality of the project and the engagement nature, the below clauses shall be considered as part of Supplier Contracts:
Scope of the services delivered by the supplier
Compliance with legal and regulatory requirements.
Compliance with Intellectual property rights requirements.
Compliance with information security policies and procedures.
Dependencies between services, processes and the parties
Requirements to be fulfilled by the supplier.
Clear allocation of responsibilities to all the involved parties.
Statement on Non – Disclosure of information.
Information Dynamics’ rights to review and audit the compliance with the contracts.
Adequate Service Level Agreements (SLA), where applicable.
Service target
Interfaces between service management processes operated by the supplier and other parties – Supply chain management
Workload characteristics
Authorities and responsibilities of the service provider and the supplier
Reporting and communication to be provided by the supplier
Details on the type and classification of information and method of providing access.
Incident management requirements and procedures (especially notification and collaboration during incident remediation.
Relevant regulations for sub-contracting, including the controls that need to be implemented.
Relevant agreement partners, including a contact person for information security issues.
Screening requirements, if any, for supplier’s personnel including responsibility for conducting screening.
Conflict resolution processes
Activities and responsibilities for the expected or early termination of the contract and the transfer of services to a different party.
Supplier’s obligations to comply with the organization’s security requirements.
All changes to the contracts shall go through a formal change management process.
The Admin department shall ensure that NDA (Non-Disclosure Agreement) is signed by any Supplier, whenever there is a need to exchange of Information Dynamics’ whether for contractual purposes or any other justified business need.
The Admin department in general shall make use of the officially approved template of Non- Disclosure Agreements (NDA) available from Information Dynamics’ vetted by the Legal Department.
The NDA shall be signed by ID and the external party who presents the need-to-know for the disclosed information.
The NDA shall be signed before commencing the information disclosure to the external party, whether it is for a project-scoping phase or for any other justified business need.
Based on the risk involved, Individual NDA shall be signed for engagements involving critical business information.
Respective Projects Managers shall maintain appropriate reports and records, to monitor and measure the compliance with the information security and service management requirements. The Suppliers shall be responsible to take appropriate actions to address any non-conformity that might be identified during the compliance review.
Security events logging shall be fully activated for all information processing facilities with access provided to suppliers as per the contractual obligations.
Proper transition and exit management provisions shall be considered to ensure correct procedures for handing over external contracts or services back to Information Dynamics’.
Projects Managers shall ensure that proper transfer of knowledge is obtained from the Suppliers for the ongoing operation / maintenance.
Upon completion/termination of an engagement with suppliers, the Projects Managers shall inform the relevant information assets owners/custodians to revoke the access rights of the Suppliers who were granted access to the information processing facilities.
Projects Managers/Projects Owners shall ensure that all Information Dynamics’ assets provided to the Suppliers are returned such as laptops, books, manuals, documentation, building keys, magnetic access cards etc.
Any connections between the suppliers’ network and Information Dynamics’ corporate network shall be terminated in case of any security breach that has occurred or non-compliance of the Suppliers to any of Information Dynamics’ policies.
Reference: Process Manual for Purchase
The waiver is as per the Waiver policy updated in the ISMS policies.
Violations of this policy and supporting policies shall result in corrective action by Management. Disciplinary action will be consistent with the severity of the incident as determined by an investigation and may include, but may not be limited to:
Issuance of warning letter to the employee detailing the violations and consequences of his actions and a reply from the employee
Loss of access privileges to information assets
Termination of employment/Contract
Other actions as deemed appropriate by Management and HR as per the Disciplinary Actions Policy of Information Dynamics’
An Internal audit shall be carried out once a year and a report on the compliance shall be submitted to the Management.
Associated Documentation
Process Manual for Purchase
Non-Disclosure Agreements and contracts between ID and the third party supplier.