[Company Name] expects of any supplier that handles its data or systems." /> [Company Name] expects of any supplier that handles its data or systems." /> Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Policy

Supplier Security Requirements

What [Company Name] expects of any supplier that handles its data or systems.

Your supply chain is your attack surface. This document sets out the minimum security expectations of suppliers, and provides a questionnaire to send them.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Scope

Applies to any third party that stores, processes, or has access to [Company Name] data or systems.

Minimum requirements

  • Hold (or demonstrate equivalent controls of) Cyber Essentials or ISO 27001.
  • Enforce MFA for all employees with access to our data.
  • Run modern endpoint protection (EDR).
  • Patch internet-facing services on an agreed cadence.
  • Encrypt our data at rest and in transit.
  • Maintain a documented joiner / leaver process.
  • Provide annual evidence of staff security training.
  • Notify us of any incident affecting our data within 24 hours.
  • Sign a UK GDPR Article 28 data processing agreement.

Supplier questionnaire

Send the following to any supplier handling our data.

About the supplier

  1. Do you hold Cyber Essentials, Cyber Essentials Plus, or ISO 27001?
  2. When was your last external penetration test?

Data handling

  1. What of our data do you store / process?
  2. Where is the data physically held?
  3. Who has access to it on your side?
  4. Do you share our data with any sub-processors?
  5. What is your retention policy for our data?

Security controls

  1. Is MFA mandatory?
  2. Do you have EDR on all devices?
  3. What is your patching cadence?
  4. Do you encrypt customer data at rest?

Incidents & assurance

  1. Any incident in the last 24 months?
  2. Incident notification commitment?
  3. Cyber insurance covering our data?

People & contract

  1. Staff security training?
  2. Joiner / leaver process?
  3. UK GDPR Article 28 DPA?
  4. Audit rights?

Review

Send to your top [5] most data-intensive suppliers first, and re-run every [18–24 months].

Tips for adoption

  • Don't send it to all 30 suppliers at once.
  • Their answers tell you where concentrated risk sits.
  • Bake the minimum requirements into new contracts.