Security & Compliance

< Back to Article List

IS-13 Supplier and Partner Security Policy

Last updated: 24 October 2024 at 11:47:25 UTC by Russell Briggs

Supplier and Partner Security Policy

 

 

 

Document Ref No

IS-13

Version No

V1

Last review date

18/10/2021

Approved by

Dom Tyler

Next review

28/02/2022

 

 

 


 

Contents

1.Purpose, scope and users                                                                                                                         3

2.Identifying the risks                                                                                                                                 3

3.Screening                                                                                                                                                  3

4.Contracts                                                                                                                                                 3

5.Training and awareness                                                                                                                          3

6.Monitoring and review                                                                                                                           4

7.Change or Termination                                                                                                                           4

8.Document management                                                                                                                           4

9.Change history                                                                                                                                         4

 


1.    Purpose, scope and users

The purpose of this document is to define the rules for relationship with suppliers and partners.

This document is applied to all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Recyclys sensitive information.

Users of this document are top management and persons responsible for suppliers and partners in Recycly.

 

2.    Identifying the risks

Security risks related to suppliers and partners are assessed prior to engaging the supplier. During the risk assessment, special care must be taken to identify risks related to information and communication technology, as well as risks related to product supply chain.

 

3.    Screening

The contract owner decides how supplier security should be assessed and which methods should be used. Suppliers who will have access to Recycly data should be considered higher risk.

 

4.    Contracts

The contract owner (i.e. person authorising purchase) is responsible for deciding which security clauses will be included in the contract with the supplier or partner, if terms are negotiable, or whether to accept supplier terms as satisfactory.

Clauses which stipulate confidentiality are mandatory. As is return of assets on termination, where applicable.

Further, the contract must be reviewed to ensure that it details how reliable delivery of the products and services is achieved. This is particularly important when assessing cloud service providers.

The contract owner is the person who signs the contract.

 

5.    Monitoring and review

Suppliers should be monitored for the level of service and fulfilment of security clauses by suppliers or partners. Where appropriate and agreed, key suppliers may be audited periodically.

Any security incidents related to the partner/supplier should be forwarded immediately to the contract owner.

 

6.    Change or Termination

When the contract is changed or terminated, the access rights for employees of partners/suppliers must be adjusted or removed according to the Access Control Policy.

Further, when the contract is changed or terminated, the contract owner must make sure all the equipment, software or information in electronic or paper form is returned. 

 

7.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

8.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

18/10/2021

Dom Tyler

1