[Company Name] expects of any supplier that handles its data or systems." /> [Company Name] expects of any supplier that handles its data or systems." /> Skip to content

Policy

Supplier Security Requirements

What [Company Name] expects of any supplier that handles its data or systems.

Your supply chain is your attack surface. This document sets out the minimum security expectations of suppliers — and gives you a questionnaire to send them. Bake the requirements into contracts wherever you can.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Scope

Applies to any third party that stores, processes, or has access to [Company Name] data or systems — including SaaS vendors, IT suppliers, contractors, accountants, and marketing agencies.

Minimum requirements

  • Hold (or demonstrate equivalent controls of) Cyber Essentials or ISO 27001.
  • Enforce MFA for all employees with access to our data.
  • Run modern endpoint protection (EDR) on all staff devices.
  • Patch internet-facing services within an agreed cadence.
  • Encrypt our data at rest and in transit.
  • Maintain a documented joiner / leaver process.
  • Provide annual evidence of staff security training.
  • Notify us of any security incident affecting our data within 24 hours of discovery.
  • Sign a UK GDPR Article 28 data processing agreement.

Supplier questionnaire

Send the following to any supplier handling our data.

About the supplier

  1. Do you hold Cyber Essentials, Cyber Essentials Plus, or ISO 27001? Attach the certificate.
  2. When was your last external penetration test?

Data handling

  1. What of our data do you store / process?
  2. Where (country / region) is the data physically held?
  3. Who has access to it on your side?
  4. Do you share our data with any sub-processors? List them.
  5. What is your retention policy for our data after contract end?

Security controls

  1. Is MFA mandatory for all employees with access to customer data?
  2. Do you have endpoint protection (EDR) on all devices?
  3. What is your patching cadence on internet-facing services?
  4. Do you encrypt customer data at rest? Describe.

Incidents & assurance

  1. Have you had a security incident in the last 24 months?
  2. What is your incident notification commitment to us (hours, days)?
  3. Do you have cyber insurance covering breaches of our data?

People & contract

  1. Do staff receive security training? How often?
  2. Do you have a documented joiner / leaver process?
  3. Will you sign a UK GDPR Article 28 data processing agreement?
  4. Will you allow us to audit your security on reasonable notice?

Review

Send the questionnaire to your top [5] most data-intensive suppliers first, and re-run every [18–24 months]. Update this list and the questionnaire annually.

Tips for adoption

  • Don't send it to all 30 suppliers at once. Start with the 5 that have the most of your data.
  • Their answers (and non-answers) tell you where your concentrated risk really sits.
  • Bake the minimum requirements into new contracts; renegotiate at renewal.