UnixTime

Research Note

Supplier Security Agreement Requirements Checklist

Use this before signing or renewing supplier agreements where the supplier has access to information, systems, facilities, services, or security-relevant dependencies.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this before signing or renewing supplier agreements where the supplier has access to information, systems, facilities, services, or security-relevant dependencies.

Checklist

  • Supplier risk assessment completed.
  • Supplier owner assigned.
  • Information classification and data exposure identified.
  • Physical, logical, remote, privileged, or production access identified.
  • Confidentiality and non-disclosure requirements included.
  • Access control and identity requirements included.
  • Authentication and MFA requirements included where relevant.
  • Information transfer and handling requirements included.
  • Incident notification requirements included.
  • Vulnerability, patching, and secure maintenance requirements included where relevant.
  • Availability, continuity, and recovery requirements included where relevant.
  • Audit, assurance, or right-to-review requirements included where relevant.
  • Subcontractor approval and flow-down requirements included.
  • Data return, deletion, transfer, and exit requirements included.
  • Liability, non-performance, and disruption clauses reviewed.
  • Security deviations documented and approved.
  • Agreement signed by authorized representatives.
  • Access is blocked until required controls are implemented.