Information Technology Department
Policy Document
Supplier Management Policy Page 1
Supplier Management Policy
Document Summary
Item
Value
Organization
Information Dynamics
Document Name
Supplier Management Policy
Classification
Internal
Compliance Reference
ISO 27001:2013 and ISO 20000:2011
Document Revision History
Date
Version
Prepared By
29
th
OCT 2019
1.0
Information Dynamics
20
th
Oct 2020
1.1
Saravanan & Rupesh
20
th
Oct 2021
1.2
Saravanan & Rupesh
Document Review History
Version
Date
Signature
1.0
29-Dec-2019
1.1
22-Oct 2020
1.2
22-Oct 2021
Information Technology Department
Policy Document
Supplier Management Policy Page 2
Table of Contents
1. Purpose3
2. Scope3
3. Policy3
4. Waiver Policy6
5. Enforcement and Violations6
Information Technology Department
Policy Document
Supplier Management Policy Page 3
1. Purpose
The objective of this policy is to define and implement the appropriate level of information security
measures while dealing with external vendors and contractors to protect information resources of
Information Dynamics’.
ISO 27001:2013 Domain Reference: A.15 Supplier Relationships
ISO 27001:2013 Reference
A.15.1.1
Information security policy for supplier relationships
A.15.1.2
Addressing security within supplier agreements
A.15.1.3
Information and communication technology supply chain
A.15.2.1
Monitoring and review of supplier services
A.15.2.1
Managing changes to supplier services
ISO 20000:2011 Domain Reference:7.3- Supplier Management
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of Information
Dynamics.
3. Policy
3.1. Supplier Selection
a) The Admin department shall follow the Information Dynamics’ procurement process.
b) Due diligence shall be exercised while evaluating External Parties services to ensure accuracy
of their claimed qualifications and successful delivery of contractual obligations.
c) Admin department in coordination with Project manager shall ensure that contractual
agreements in terms of legal, business and technical requirements are negotiated and agreed
with the suppliers, before commencing the project
3.2. Identification of Risk Related to Suppliers
a) The Information Security Manager shall ensure that the periodic information security risk
assessment identifies potential Suppliers risks that could compromise the Confidentiality,
Integrity & Availability of Information & information processing facilities.
b) Project Manager in coordination with Information Security Manager shall identify any
additional information security risk specific to the project.
Information Technology Department
Policy Document
Supplier Management Policy Page 4
c) The analysis of risks related to supplier’s access to information and information processing
facilities shall consider the following:
Possible impacts to the controls of the information processing facilities;
The classification of the information assets;
Processes for identifying, authenticating, authorizing and reviewing access rights of the
External Parties; and
Security controls that are in place to control storing, processing, communicating,
sharing or exchanging information.
Training requirements for organizations personnel involved in contractual relationship
with the suppliers.
All risks identified shall be appropriately addressed through risks mitigation measures.
d) Wherever required, information security requirements and controls shall be documented in an
agreement and signed by both the parties.
3.3. External Parties Contracts
a) Based on the criticality of the project and the engagement nature, the below clauses shall be
considered as part of Supplier Contracts:
Scope of the services delivered by the supplier
Compliance with legal and regulatory requirements.
Compliance with Intellectual property rights requirements.
Compliance with information security policies and procedures.
Dependencies between services, processes and the parties
Requirements to be fulfilled by the supplier.
Clear allocation of responsibilities to all the involved parties.
Statement on Non Disclosure of information.
Information Dynamics’ rights to review and audit the compliance with the contracts.
Adequate Service Level Agreements (SLA), where applicable.
Service target
Interfaces between service management processes operated by the supplier and other
parties Supply chain management
Workload characteristics
Authorities and responsibilities of the service provider and the supplier
Information Technology Department
Policy Document
Supplier Management Policy Page 5
Reporting and communication to be provided by the supplier
Details on the type and classification of information and method of providing access.
Incident management requirements and procedures (especially notification and
collaboration during incident remediation.
Relevant regulations for sub-contracting, including the controls that need to be
implemented.
Relevant agreement partners, including a contact person for information security issues.
Screening requirements, if any, for supplier’s personnel including responsibility for
conducting screening.
Conflict resolution processes
Activities and responsibilities for the expected or early termination of the contract and
the transfer of services to a different party.
Supplier’s obligations to comply with the organization’s security requirements.
b) All changes to the contracts shall go through a formal change management process.
3.4. Non-Disclosure Agreement Sign-off
a) The Admin department shall ensure that NDA (Non-Disclosure Agreement) is signed by any
Supplier, whenever there is a need to exchange of Information Dynamics’ whether for
contractual purposes or any other justified business need.
b) The Admin department in general shall make use of the officially approved template of Non-
Disclosure Agreements (NDA) available from Information Dynamics’ vetted by the Legal
Department.
c) The NDA shall be signed by ID and the external party who presents the need-to-know for the
disclosed information.
d) The NDA shall be signed before commencing the information disclosure to the external party,
whether it is for a project-scoping phase or for any other justified business need.
e) Based on the risk involved, Individual NDA shall be signed for engagements involving critical
business information.
3.5. Monitoring and Review of External Parties Services
Information Technology Department
Policy Document
Supplier Management Policy Page 6
a) Respective Projects Managers shall maintain appropriate reports and records, to monitor and
measure the compliance with the information security and service management requirements.
The Suppliers shall be responsible to take appropriate actions to address any non-conformity
that might be identified during the compliance review.
b) Security events logging shall be fully activated for all information processing facilities with
access provided to suppliers as per the contractual obligations.
3.6. Termination of External Parties Services
a) Proper transition and exit management provisions shall be considered to ensure correct
procedures for handing over external contracts or services back to Information Dynamics’.
b) Projects Managers shall ensure that proper transfer of knowledge is obtained from the Suppliers
for the ongoing operation / maintenance.
c) Upon completion/termination of an engagement with suppliers, the Projects Managers shall
inform the relevant information assets owners/custodians to revoke the access rights of the
Suppliers who were granted access to the information processing facilities.
d) Projects Managers/Projects Owners shall ensure that all Information Dynamics’ assets provided
to the Suppliers are returned such as laptops, books, manuals, documentation, building keys,
magnetic access cards etc.
e) Any connections between the suppliers’ network and Information Dynamics’ corporate network
shall be terminated in case of any security breach that has occurred or non-compliance of the
Suppliers to any of Information Dynamics’ policies.
Reference: Process Manual for Purchase
4. Waiver Policy
The waiver is as per the Waiver policy updated in the ISMS policies.
5. Enforcement and Violations
a) Violations of this policy and supporting policies shall result in corrective action by
Management. Disciplinary action will be consistent with the severity of the incident as
determined by an investigation and may include, but may not be limited to:
Information Technology Department
Policy Document
Supplier Management Policy Page 7
Issuance of warning letter to the employee detailing the violations and consequences of
his actions and a reply from the employee
Loss of access privileges to information assets
Termination of employment/Contract
Other actions as deemed appropriate by Management and HR as per the Disciplinary
Actions Policy of Information Dynamics’
b) An Internal audit shall be carried out once a year and a report on the compliance shall be
submitted to the Management.
Associated Documentation
Process Manual for Purchase
Non-Disclosure Agreements and contracts between ID and the third party supplier.