Your supply chain is your attack surface. This document sets out the minimum security expectations of suppliers, and provides a questionnaire to send them.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
Scope
Applies to any third party that stores, processes, or has access to [Company Name] data or systems.
Minimum requirements
- Hold (or demonstrate equivalent controls of) Cyber Essentials or ISO 27001.
- Enforce MFA for all employees with access to our data.
- Run modern endpoint protection (EDR).
- Patch internet-facing services on an agreed cadence.
- Encrypt our data at rest and in transit.
- Maintain a documented joiner / leaver process.
- Provide annual evidence of staff security training.
- Notify us of any incident affecting our data within 24 hours.
- Sign a UK GDPR Article 28 data processing agreement.
Supplier questionnaire
Send the following to any supplier handling our data.
About the supplier
- Do you hold Cyber Essentials, Cyber Essentials Plus, or ISO 27001?
- When was your last external penetration test?
Data handling
- What of our data do you store / process?
- Where is the data physically held?
- Who has access to it on your side?
- Do you share our data with any sub-processors?
- What is your retention policy for our data?
Security controls
- Is MFA mandatory?
- Do you have EDR on all devices?
- What is your patching cadence?
- Do you encrypt customer data at rest?
Incidents & assurance
- Any incident in the last 24 months?
- Incident notification commitment?
- Cyber insurance covering our data?
People & contract
- Staff security training?
- Joiner / leaver process?
- UK GDPR Article 28 DPA?
- Audit rights?
Review
Send to your top [5] most data-intensive suppliers first, and re-run every [18–24 months].
Tips for adoption
- Don't send it to all 30 suppliers at once.
- Their answers tell you where concentrated risk sits.
- Bake the minimum requirements into new contracts.