Supplier and Third-Party Information Security Risk Management

Supplier Security in Brief

Supplier security assessment proportionate to the data they handle
Contract clauses on confidentiality, breach notification and right to audit
Ongoing review based on supplier criticality

Supplier and Third-Party Information Security

Most organisations rely on a substantial network of suppliers, contractors, partners and service providers - and many of these have access to information, systems or processes that affect security. The information security model has to extend across that boundary. The strongest internal controls are undermined if a supplier with access to confidential data is itself badly run. Equally, an attack on a supplier can spill over into the customer organisation through shared systems, integrations or compromised credentials.

The controls split into three phases: choosing suppliers carefully, managing them through the relationship, and handling the security implications when they leave. Each phase has its own checks and records, and the depth of the checks should match the importance of the supplier and the sensitivity of what they touch.

Identifying Information Security Suppliers

Not every supplier is an information security concern. The local stationery supplier and the lawn care contractor probably do not need a full security review. Suppliers that handle personal data, hold confidential information, have access to systems, or could affect the availability of critical operations are different. The first job is identifying which suppliers fall into each category.

The supplier register is where this gets recorded. For each supplier, the register captures what they do, what information or systems they access, the contracts in place, the security expectations agreed, and who in the organisation owns the relationship. The register can be lighter for low-risk suppliers and more detailed for those who handle sensitive data or run critical services. The point is that nothing important is invisible.

The exercise of building the register is usually informative in itself. Most organisations find suppliers they had forgotten about, services that were adopted without going through procurement, and arrangements where the contract is so old that nobody remembers what was agreed. Sorting these out is normal first-pass work, not a sign that something has gone wrong.

Supplier Security Assessment and Onboarding

Before a new supplier is engaged for anything that touches information security, an assessment confirms that they meet the organisation's expectations. The depth of the assessment depends on what they will do. For a supplier with access to bulk personal data, the assessment is substantial - certifications held (ISO 27001, Cyber Essentials, SOC 2 reports), security policies, breach history, references. For a low-risk supplier, a short questionnaire and review of their public security position may be enough.

The contract is where the security expectations get formalised. Standard clauses cover: how the supplier handles confidential information, how they notify breaches, how they handle personal data under UK GDPR as a processor or sub-processor, what audit rights the customer has, what happens to data when the contract ends. The clauses do not have to be drafted from scratch - the major industry body templates and the Information Commissioner's Office model clauses are usable starting points.

For suppliers handling personal data, a data processing agreement (DPA) is a legal requirement under UK GDPR - it sets out the processor's obligations, the categories of data, the security measures required and the breach notification arrangements. Having a DPA in place before the data starts flowing is much easier than trying to negotiate one after a problem has arisen.

Ongoing Supplier Management

Suppliers do not stay static. Their certifications expire, their staff change, their security posture shifts as their own business evolves. A periodic review - typically annual for important suppliers, less frequent for minor ones - keeps the picture current. The review checks that the certifications are still valid, that the original assessment still reflects reality, and that any incidents involving the supplier have been picked up.

Supplier-related incidents need particular attention. A breach at a supplier that holds personal data on the organisation's behalf is the organisation's breach to report, regardless of whose fault it was technically. The contract should require the supplier to notify the customer promptly enough that the 72-hour ICO reporting clock can be met. The internal incident process needs to handle supplier-originated incidents with the same urgency as those originating internally.

Cloud services are a particular form of supplier and benefit from the same controls. The cloud register and the supplier register cover overlapping territory and should be cross-referenced rather than duplicated. The same goes for outsourced IT, payroll providers, hosted application services and similar - they are all suppliers from a security perspective, even if procurement treats them differently.

Supplier Exit and Information Security

When a supplier relationship ends, the security implications need handling. Their access to systems is revoked, the credentials they held are deactivated, the data they held is returned or securely destroyed with a record kept of how. For suppliers who held confidential information, a written confirmation that the data has been disposed of is reasonable to ask for and worth retaining.

The exit phase often gets neglected because it happens after the operational interest has gone. The supplier has been replaced, the team has moved on, and the residual administrative work is left undone. The result is dormant access accounts, unreturned data, and contractual obligations that were never closed out. The procedural fix is to include exit security as a standard item on the contract close-out checklist, with sign-off required before the relationship is fully closed.

Supplier security is one of those areas where the controls are not glamorous but they catch a lot of risk. A register so you know who is doing what. An assessment proportional to the risk. A contract that covers the security side properly. A periodic review. An exit process. Five steps, applied consistently, that stop most supplier-related incidents from getting near the organisation in the first place.

The most common gap I find is the supplier register. Either it does not exist, or it lists half the suppliers, or it has not been updated for two years. Without the register, the assessment, contract review and incident response work cannot be applied consistently, because the organisation does not know who its suppliers actually are. Building the register is the necessary first step, even if it takes some uncomfortable conversations with parts of the business that have been adopting cloud services without going through procurement.

The other consistent gap is sub-processors. The headline supplier is on the register and the contract is in order, but the supplier in turn relies on three or four other providers, none of whom have been considered. UK GDPR requires those sub-processors to be identified and approved, and the organisation should know who they are.

We rebuilt our supplier register a couple of years ago after an audit found the previous version was missing several major cloud services. Now every new supplier goes through a short security questionnaire before they are engaged, and the register is reviewed quarterly.

Practical Compliance Guidance

The IMS1 manual covers supplier and third-party information security within the wider information security and supplier management sections. The supplier register sits alongside the cloud register and the information assets register, with overlapping records cross-referenced rather than duplicated.

The following alphaZ documents support a practical approach to supplier and third-party information security.

alphaZ document	How to use it
ISO 27001 Toolkit	Full document set for setting up an information security management system, including the supplier security policy and supporting registers.
P-37 Supplier Security Policy	Policy covering the security expectations of suppliers, the assessment process and the contractual requirements that apply.
PP-1-09 Supplier Appraisal Policy Procedure	Procedure covering supplier evaluation, onboarding, periodic review and the criteria applied at each stage.
F-IMS42 Key Suppliers Register	Register of key suppliers with the services they provide, the information or systems they access, and the contractual arrangements.
F-Q9 Supplier Contractor Appraisal Form	Form for evaluating new suppliers and re-evaluating existing ones at the periodic review point.
A-C_P50 Supplier Audit Checklist	Checklist for auditing important suppliers where the contractual relationship includes audit rights.
PP-8-100 Information Security Policy Procedure	The master policy that sets out the supplier security sections referenced from the standalone documents above.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Which suppliers need security checks?

Any supplier that handles personal data, holds confidential information, has access to systems, or could affect the availability of critical operations. The depth of the check scales with the risk - a supplier holding bulk customer personal data warrants a substantial assessment, while a supplier delivering office consumables probably does not need any security review. The judgement is about exposure, not just spend - a small specialist provider can carry as much risk as a large mainstream one if the data they handle is sensitive.

Is ISO 27001 certification enough to satisfy supplier security requirements?

ISO 27001 certification is a strong indicator that a supplier has a working information security management system, and for many purposes it satisfies the assessment requirement on its own. The certificate confirms an external auditor has tested the supplier's controls against the standard. It is not absolute - the scope of the certification matters, and the certificate alone does not tell you whether the supplier has had recent incidents or how the relationship is governed - but for routine supplier assessment it is normally sufficient. Other certifications (Cyber Essentials Plus, SOC 2 Type II, sector-specific schemes) carry similar weight depending on the context.

What goes into a data processing agreement?

A data processing agreement (DPA) is required under UK GDPR wherever a supplier processes personal data on behalf of the organisation. It covers the subject matter and duration of processing, the nature and purpose, the categories of data and the categories of individuals, the controller's instructions, the security measures required, the obligations on sub-processors, the breach notification arrangements, and what happens to data at the end of the contract. The Information Commissioner's Office publishes guidance and model clauses that work well as a starting point. The DPA should be in place before personal data starts flowing, not negotiated retrospectively.

What happens if a supplier has a data breach?

A breach at a supplier processing personal data on the organisation's behalf is treated as the organisation's own breach for reporting purposes. The 72-hour Information Commissioner's Office reporting clock starts when the organisation becomes aware of it, and the assessment of risk to individuals is the same as for an internal breach. The supplier contract should require the supplier to notify the organisation promptly enough to meet that timescale - this is one of the standard DPA clauses. The organisation's incident response process should treat supplier-originated incidents with the same urgency as internal ones, including parallel work on legal, contractual and reputational consequences.

UK Legislation

The following UK legislation is directly relevant to supplier and third-party information security. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources