Register
Forgotten password?

A family of Supply chain cyber security policiesdocumentsSupply chain cyber security policies

These cyber security policies should be used by a customer purchasing services and wanting to impose contractual obligations upon the supplier in relation to cyber security. The policies can be adapted to focus on specific risks or to apply general standards. These policies were created and are maintained by Emma Osborn of OCSRC.

Supply chain cyber security policy (standard)

FROM

£30.00

OR

30

CREDITS
Buy
Version 1.0
First published 6 Aug 2018
Last updated 19 Jan 2023
Word count 2,864
Template pages 5

Supply chain cyber security policy (premium)

FROM

£40.00

OR

40

CREDITS
Buy
Version 1.0
First published 6 Aug 2018
Last updated 19 Jan 2023
Word count 4,971
Template pages 9

Compare contents

Supply chain cyber security policy (standard) contents

  1. Introduction: purpose of cyber security document;
    Provider
     to protect
    Customer
     interests regarding cyber security.
  2. Definitions: definitions.
  3. Status of 
    this Policy
    :     document forms part of contract.
  4. Cyber security risks: cyber security is a strategic risk; reference to identified risks; Data protection impact assessments; cyber security risk assessments.
  5. Cyber security approach: processing data compliance;
    Provider
     to maintain minimum level of security ;
    Provider
     to maintain adequate level of security;
    Provider
     to maintain equivalent level of security.
  6. Cyber security requirements: compliance with applicable standards; implementation of cyber security controls (access); cyber security training requirements; implementation of technical controls.
  7. Actions upon termination: managing termination of contract; provision of data on contract termination ; deletion of
    Customer
    data ; provision of a record of data retained by the other party; access credentials revoked; requirements remaining in force.

ANNEX 1 (EVIDENCE REQUIRED OF COMPLIANCE)

    List of evidence of compliance with cyber security policy.

ANNEX 2 (ADEQUATE ENCRYPTION STANDARDS)

    List of adequate encryption standards.

Supply chain cyber security policy (premium) contents

  1. Introduction: purpose of cyber security document;
    Provider
     to protect
    Customer
     interests regarding cyber security.
  2. Definitions: definitions.
  3. Status of 
    this Policy
    :     document forms part of contract.
  4. Cyber security risks: cyber security is a strategic risk; reference to identified risks; Data protection impact assessments; cyber security risk assessments.
  5. Cyber security approach: processing data compliance;
    Provider
     to maintain minimum level of security ;
    Provider
     to maintain adequate level of security;
    Provider
     to maintain equivalent level of security.
  6. Cyber security requirements: compliance with applicable standards; implementation of cyber security controls (access); cyber security training requirements; implementation of technical controls.
  7. Evidential requirements and auditing: evidence of meeting cyber security requirements; reducing risks; independent audit to prove compliance; requirement of audited standards compliance evidence; evidence of self-assessed compliance; ongoing standards compliance.
  8. Detecting cyber security breaches: logging of system activities; retention of logs beyond the term; recording of system access; monitoring of system; compliance with laws when monitoring system; monitoring of system; review of system logs.
  9. Responding to cyber security breaches: supply of logs for disciplinary action; supply of system logs in the event of a cyber security breach; supply of logs to third parties for investigation; revoking of access to the system; prohibition of employees accessing system; triggering an investigation following complaint; notification of unusual activity or mistakes; notification of breach in 
    Customer
     system; notification of breach in 
    Provider
     system; notifying Information Commissioner's Office in case of breach.
  10. System and
    Policy
    reviews and updates:     notification of changes to IT system; notification of changes to shared data/system; notification of new threats; notification of security vulnerability ; responsibility for reviewing policy; timing of updates; ad hoc reviews and updates; review considerations.
  11. Actions upon termination: managing termination of contract; provision of data on contract termination ; deletion of
    Customer
    data ; provision of a record of data retained by the other party; access credentials revoked; requirements remaining in force.

ANNEX 1 (EVIDENCE REQUIRED OF COMPLIANCE)

    List of evidence of compliance with cyber security policy.

ANNEX 2 (ADEQUATE ENCRYPTION STANDARDS)

    List of adequate encryption standards.

ANNEX 3 (FORM OF NOTIFICATION OF CYBER SECURITY BREACH)

  1. Introduction: identification of person giving cyber security breach notification.
  2. Description of cyber security breach: prompt for description of cyber security breach.
  3. Parts of 
    Provider
    System     affected
    :     prompt for specification of affected system parts.
  4. Proportion of data assets affected: prompt for insertion of proportion of data assets affected.
  5. Is personal data concerned?: details of effects of breach on personal data.
  6. Likely consequences of breach: prompt to identify likely consequences of breach.
  7. Measures taken to address breach: prompt to describe measures taken to address breach.
  8. Has anyone other than
    the Customer
    been notified of the breach?:     details of who has been notified of cyber security breach.
  9. Late report of breach: reasons for later report of cyber security breach.
  10. Contact details: details of person handling cyber security breach.