Supplier Information Security Evaluation Process [Insert classification]
2.3.6 Supplier carries out improvements The supplier is then given an opportunity to address the improvements on the agreed list to the target timescales. The frequency of regular progress updates should be agreed, and progress tracked against the plan. Failure to achieve the identified improvements within the target timescales should be discussed both with the supplier contact and top management within [Organization Name] and the level of risk assessed.
2.3.7 Regular reporting and review In addition to a full annual review, supplier information security assessments will be evaluated on a regular basis to ensure that they remain current. The relevant assessments will also be reviewed upon major changes to the business such as mergers and acquisitions or introduction of new products and services.
2.4 Process outputs The process of supplier information security evaluation results in several outputs which show that all of the steps have been completed successfully. These outputs should include where possible: • • • • •
The completed assessment questionnaire Supporting evidence of supplier information security arrangements Minutes of meetings held Management approval of the conclusions reached Results of regular reviews
The availability of this information will allow the conclusions reached to be verified and validated in future reviews and audits.
Version 1
Page 12 of 14
[Insert date]
