ISMS 5: Third Party Suppliers Policy

The standard defines third party suppliers controls

Scope

All third parties that provide any services for Upmind Automation Limited are within the scope of this procedure.

Responsibilities

The Director is responsible for ensuring that Upmind Automation Limited’s risk management framework meets the requirements of the Board of Directors and for identifying legislative or regulatory requirements in terms of risk management. The Director is responsible for the implementation of this policy for ALL related 3rd party vendors.

Senior Management is responsible for implementing, maintaining, and enforcing this policy.

The Director is responsible for:

  • Approving Medium and High Risk vendor contracts;
  • Ensuring that Managers comply with this policy;
  • Completing a Vendor Risk Assessment;
  • Completing a Vendor due diligence review;
  • Maintaining vendor files;
  • Effectively acting as vendor liaison.

The owners of third party relationships are responsible for the monitoring and reviewing of the services, reports and records carried out by the third party.

The Director is responsible for ensuring that adequate technical and other resources that might be required are made available to support the relationship owner in the monitoring and management of the relationship.

The Director is responsible for carrying out regular audits of third party performance.

The Director is responsible for regular reviews of exceptions and other internally generated reports relating to third party performance.

It is the policy of Upmind Automation Limited to effectively manage the lifecycle of all vendor relationships in order to responsibly steward resources and minimise the inherent risk associated with engaging third parties to perform services.

Vendor management, as addressed by this policy consists of:

  • Vendor Risk Assessment;
  • Vendor Due Diligence;
  • Contract Management;
  • Vendor Supervision.

Vendor Risk Assessment

An initial risk analysis should be conducted for each potential vendor. At a minimum, the risk analysis will utilize the Vendor Risk Rating Matrix to assign a Vendor Risk Rating of Low, Medium, or High risk. A vendor is assigned a risk rating based on the highest risk level attributable to the contract, or sum of all contracts, with that vendor.
Exceptions to the assigned risk rating may be granted as noted by the Risk Rating Matrix.

The Rating is an indicator of the level of due diligence Upmind Automation Limited requires for each vendor.

  • Low risk vendors typically require little or no further analysis or due diligence.
  • Medium risk vendors should be evaluated to determine the appropriate level of due diligence required.
  • High risk vendors require annual due diligence review.
CriteriaLowMediumHighExceptions Granted By
Business ImpactNominal business
impact
Significant, but
non-critical
business impact
Mission
Critical
Board
Member
Contact
NoneIndirectDirectBoard
Total Contract
Amount (Full
term for multi year contracts)
<$20,000$20,000 -
$50,000
>$50,000Board
Contract TermOne year or less1 - 3 years> 3 years
Access to Non-
Public Personal
Information
(NPPI) for
either members
or employees
No access, except
for possible
unintentional exposure.
N/AAccess
expected
Director
Safety of
Upmind Automation Limited
Employees,
Guests and
Vendors
Injury or Illness –
No Potential
Injury or Illness –
Low Severity
Injury or
Illness –
High
Severity
Safety Advisor

Risk Reassessment

Risk assessments should be revisited as part of contract renewal or anytime the relationship with the vendor changes in any significant way. Additionally the vendor risk assessment will be revisited following an audit or an incident which is related to services provided to Upmind Automation Limited, involving the contracted party.

Vendor Due Diligence

Due diligence requires a reasonable inquiry into a vendor's ability to meet the requirements for the proposed service. The degree of due diligence required in selecting a vendor will depend on the results of the initial
Vendor Risk Assessment.

Due diligence for a low risk vendor may be nominal, while high risk vendors require more thorough due diligence. All due diligence records performed in establishing the vendor relationship, including the Risk Rating, should be kept by the company in line with Data retention requirements.

Escalation Process for 3rd party non compliances

Where 3rd party vendors have been identified as being non-compliant with Upmind Automation Limited’ policies, procedures, or have been prosecuted, become insolvent, or subject to international restrictions etc. then it is the responsibility of the Director to upgrade the 3rd party risk register when such information is identified.
Depending on the level of raised risk, then such increase in risk will be reported as soon as practically possible to the company board. Where the level of risk reaches an intolerable level then alternative suppliers will be sourced and the concerned 3rd party’s contract will be terminated. The board will be informed as to any 3rd party who have had their contract terminated with Upmind Automation Limited.

Vendor files

It is the responsibility of the Director to implement a suitable vendor file which contains the following information:

  • Vendor ID;
  • Vendor Name;
  • Address;
  • Primary contact details;
  • Audit data;
  • Risk rating;
  • List of contracts;
  • Description of Service / Products provided.

The vendor file will be updated on a quarterly basis and will be made available to the board on a 6 monthly basis.

Third party risk management procedure

The external party agreement includes reporting structures, defines acceptable levels of performance and provides monitoring, inspection and audit rights.

The relationship owner monitors performance against the service and security criteria contained in the agreement, ensures that reports required under the agreement are delivered as required and reviews them, and conducts regular progress meetings as required.

The relationship owner ensures that information security incidents experienced by the third party are reviewed jointly and that relevant information security incidents experienced internally are communicated to the third party so that appropriate steps can be taken.

The relationship owner identifies any problems of any sort (including operational problems, failures, faults and tracing faults, and disruptions), on either side of the relationship, and ensures that they are resolved, using the agreed escalation procedure where necessary.

The Director is responsible for reviewing the third party’s internal audit trails and records of security events.
All review meetings must have agendas and minutes, with actions necessary to resolve issues arising clearly identified.

On a monthly basis, the Director reviews all outstanding actions in respect of deficiencies in third party services to ensure that appropriate corrective or preventive action is being taken, having regard to the fact that ultimate responsibility for the information processed by the third party remains with the Upmind Automation Limited.