Third-Party and Supplier Security Policy - SME

The P26S – Third-Party and Supplier Security Policy is specifically tailored for SMEs, reflecting a governance structure where dedicated IT roles like CISO or SOC are typically absent. Instead, responsibility is centralized under the General Manager (GM), simplifying accountability while maintaining strong compliance with ISO/IEC 27001:2022 and other key regulatory frameworks. This design ensures robust security oversight even for smaller organizations without specialized personnel. The policy's main purpose is to formalize and enforce essential security measures whenever engaging, managing, or terminating relationships with third parties and suppliers who interact with or impact the organization's data, systems, or services. Covered suppliers range from IT and cloud service providers to software developers and HR or finance consultants. By clarifying security expectations, documenting supplier risks before granting access, and requiring enforceable contractual safeguards, the policy minimizes the risks of data leaks, unapproved system modifications, regulatory infractions, and business disruption. The policy explicitly defines its scope to include both all third parties with potential access to organizational assets, and internal personnel involved in vendor selection, supervision, onboarding, contracting, or review. Centralized roles include the General Manager, IT provider or internal security contact, and procurement or administrative contacts, ensuring clear accountability throughout the supplier lifecycle. The vendor or supplier is required to agree in writing to comply with security obligations and report incidents. Key governance requirements cover supplier risk reviews prior to engagement, mandatory security clauses in all contracts, the maintenance of a detailed Supplier Register, and procedures for monitoring changes in ownership, service scope, or subcontracting. Implementation steps require that no supplier is ever granted access before due diligence and without explicit approval, that only minimum system/data access is given, and that all data transmission is properly encrypted. Ongoing requirements include periodic audit and review, at least annually for high-risk suppliers, along with strict procedures for terminating contracts and revoking access. The policy integrates a structured process for risk treatment and exceptions, ensuring any gaps are managed with compensating controls and that no exception can violate legal or regulatory obligations (e.g., GDPR or DORA requirements). Enforcement is clearly described, with outlined sanctions up to and including contract termination and legal action. Compliance readiness is embedded, requiring documentation sufficient for passing audits under ISO 27001, GDPR, and related standards. Finally, the annual review cycle and linkage with closely related information security policies ensure the policy remains current, effective, and integrated within the broader security framework.