When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this before signing or renewing supplier agreements where the supplier has access to information, systems, facilities, services, or security-relevant dependencies.
Checklist
- Supplier risk assessment completed.
- Supplier owner assigned.
- Information classification and data exposure identified.
- Physical, logical, remote, privileged, or production access identified.
- Confidentiality and non-disclosure requirements included.
- Access control and identity requirements included.
- Authentication and MFA requirements included where relevant.
- Information transfer and handling requirements included.
- Incident notification requirements included.
- Vulnerability, patching, and secure maintenance requirements included where relevant.
- Availability, continuity, and recovery requirements included where relevant.
- Audit, assurance, or right-to-review requirements included where relevant.
- Subcontractor approval and flow-down requirements included.
- Data return, deletion, transfer, and exit requirements included.
- Liability, non-performance, and disruption clauses reviewed.
- Security deviations documented and approved.
- Agreement signed by authorized representatives.
- Access is blocked until required controls are implemented.
Related notes
- Template
- Supplier security
- Contracts
- Iso27001
Note Metadata
Aliases: Supplier Agreement Security Checklist
Source: 90 Templates/Supplier Security Agreement Requirements Checklist.md
Related Notes
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.37 - Documented Operating Procedures
- A.5.20 Audit Evidence Pack
- A.5.21 Audit Evidence Pack
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.20 Audit Checklist
- A.5.21 Audit Checklist
- Supplier Security Risk Assessment
- Templates MOC