Forgotten password?

Supply chain cyber security policy (premium)

Increasingly, organisations are recognising cyber security as a strategic risk, touching every aspect of their business, including the way they interact with suppliers and customers.

This supplier cyber security policy is intended to assist your organisation in producing a contract, or a schedule or addendum to a contract, describing the cyber security requirements a supplier (or other person) must comply with before it can do business with your organisation.

The template may be edited to align with a variety of goals, from managing a handful of specific risks when a new supplier's system begins interacting with your own, to attempting to achieve a cyber security benchmark across your entire supply chain.

The content of the policy you produce will depend on the type of interaction you have with the other business, what risks you have identified in your B2B interactions, and how much risk/effort the other organisation is willing to have transferred to it under the contract.

The policy includes suggestions about which terms to choose and opportunities to add additional terms, allowing organisations to mould them to their specific needs. It is delivered with extensive guidance, to allow purchasers to bridge the knowledge gap between legal and technical expertise.

This is an extended version of our standard supplier cyber security policy. It contains all the provisions of that document and in addition includes clauses relating to auditing, breach detection, breach response and policy updating.

This policy was created and is maintained by Emma Osborn of OCSRC ( in collaboration with Docular.

Ask about this document

Supply chain cyber security policy (premium) contents

  1. Introduction: purpose of cyber security document;
     to protect
     interests regarding cyber security.
  2. Definitions: definitions.
  3. Status of 
    this Policy
    document forms part of contract.
  4. Cyber security risks: cyber security is a strategic risk; reference to identified risks; Data protection impact assessments; cyber security risk assessments.
  5. Cyber security approach: processing data compliance;
     to maintain minimum level of security ;
     to maintain adequate level of security;
     to maintain equivalent level of security.
  6. Cyber security requirements: compliance with applicable standards; implementation of cyber security controls (access); cyber security training requirements; implementation of technical controls.
  7. Evidential requirements and auditing: evidence of meeting cyber security requirements; reducing risks; independent audit to prove compliance; requirement of audited standards compliance evidence; evidence of self-assessed compliance; ongoing standards compliance.
  8. Detecting cyber security breaches: logging of system activities; retention of logs beyond the term; recording of system access; monitoring of system; compliance with laws when monitoring system; monitoring of system; review of system logs.
  9. Responding to cyber security breaches: supply of logs for disciplinary action; supply of system logs in the event of a cyber security breach; supply of logs to third parties for investigation; revoking of access to the system; prohibition of employees accessing system; triggering an investigation following complaint; notification of unusual activity or mistakes; notification of breach in 
     system; notification of breach in 
     system; notifying Information Commissioner's Office in case of breach.
  10. System and
    reviews and updates:
    notification of changes to IT system; notification of changes to shared data/system; notification of new threats; notification of security vulnerability ; responsibility for reviewing policy; timing of updates; ad hoc reviews and updates; review considerations.
  11. Actions upon termination: managing termination of contract; provision of data on contract termination ; deletion of
    data ; provision of a record of data retained by the other party; access credentials revoked; requirements remaining in force.


    List of evidence of compliance with cyber security policy.


    List of adequate encryption standards.


  1. Introduction: identification of person giving cyber security breach notification.
  2. Description of cyber security breach: prompt for description of cyber security breach.
  3. Parts of 
    prompt for specification of affected system parts.
  4. Proportion of data assets affected: prompt for insertion of proportion of data assets affected.
  5. Is personal data concerned?: details of effects of breach on personal data.
  6. Likely consequences of breach: prompt to identify likely consequences of breach.
  7. Measures taken to address breach: prompt to describe measures taken to address breach.
  8. Has anyone other than
    the Customer
    been notified of the breach?:
    details of who has been notified of cyber security breach.
  9. Late report of breach: reasons for later report of cyber security breach.
  10. Contact details: details of person handling cyber security breach.
Supply chain cyber security policy (premium) document editor previewSupply chain cyber security policy (premium) document editor previewSupply chain cyber security policy (premium) document editor previewSupply chain cyber security policy (premium) document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Supply chain cyber security policy (premium) document previewSupply chain cyber security policy (premium) document previewSupply chain cyber security policy (premium) document previewSupply chain cyber security policy (premium) document previewSupply chain cyber security policy (premium) document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.