Addressing information security within supplier

agreements Policy

Document ID ACPL-ISMS-C5.20
Document Classification Internal
Issue Date (effective from) 01.12.2023
Version No 1.0
Latest Review Date 01.12.2023

Nitin Gupta Kunal Parikh Vijay Gupta

CISO Director Director

Prepared By Reviewed By Approved By

Addressing information security within supplier agreements Policy

1. Control statement:

Relevant information security requirements should be established and agreed with each supplier
based on the type of supplier relationship.

2. Purpose:

To maintain an agreed level of information security in supplier relationships.

3. Scope:

This procedure covers the points to be considered whiling documenting the agreement with the
suppliers.

4. Procedure:

4.1 Addressing information security within supplier agreements:

The following terms can be considered for inclusion in the agreements in order to satisfy the identified
information security requirements:

1) Description of the information to be provided or accessed and methods of providing or

accessing the information;
2) Classification of information
3) Legal, statutory, regulatory and contractual requirements, including data protection, handling
of PII, intellectual property rights and copyright
4) Obligation of each contractual party to implement an agreed set of controls, including access
control, performance review, monitoring, reporting and auditing, and the supplier’s obligations
to comply with the organization’s information security requirements;
5) Rules of acceptable use of information and other associated assets including authorization of
organization’s assets by the supplier’s personnel.
6) Information security requirements regarding the supplier’s ICT infrastructure;
7) Indemnities and remediation for failure of contractor to meet requirements;
8) Incident management requirements and procedures.
9) Training and awareness requirements for specific procedures and information security
requirements.
10) Relevant provisions for sub-contracting
11) Relevant contacts, including a contact person for information security issues;
12) Any screening requirements (if any for suppliers personnel’s),
13) The evidence and assurance mechanisms of third-party attestations.
14) Right to audit the supplier processes and controls related to the agreement;

Doc ID: ACPL-ISMS-C5.20 Version 1.0 Last Rev. Date: 01.12.2023 Page 2 of 3

This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.
Addressing information security within supplier agreements Policy

15) Submission of corrective actions on the issues reported in the reports;

16) Defect resolution and conflict resolution processes;
17) Providing backup aligned with the organization’s needs.
18) Ensuring the availability of an alternate facility (i.e. Disaster recovery site
19) Having a change management process that ensures advance notification to the organization
and the possibility for the organization of not accepting changes;
20) Physical security controls commensurate with the information classification;
21) Information transfer controls to protect the information during physical transfer or logical
transmission;
22) Termination clauses upon conclusion of the agreement including records management, return
of assets, secure disposal of information and other associated assets, and any ongoing
confidentiality obligations;
23) Provision of a method of securely destroying the organization’s information stored by the
supplier as soon as it is no longer required;
24) Ensuring, at the end of the contract, handover support to another supplier or to the
organization itself.
25) The organization regularly review, validate and update their agreements with external parties
to ensure they are still required and fit for purpose with relevant information security clauses.

5. Revision History

Revision Date Description Author

1.0 01.12.2023 Initial release CISO

Doc ID: ACPL-ISMS-C5.20 Version 1.0 Last Rev. Date: 01.12.2023 Page 3 of 3

This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.