Vendor and Third-Party Risk Management Policy

1. Purpose and Scope

This policy defines how the organisation manages risks associated with vendors, suppliers, and third‑party partners to ensure confidentiality, integrity, and availability of information assets. It applies to all employees, contractors, suppliers, and partners engaged in providing services or processing data on behalf of the organisation.

Policy Statements:

• Vendor risk management processes are documented and reviewed annually, consistent with ISO/IEC 27001:2022 Annex A.15.1 (Supplier Security).
• Third‑party risk oversight aligns with NIST CSF v2.0 ID.SC (Supply Chain Risk Management).
• Vendor contracts include security clauses consistent with applicable data protection and health-data law; representative references include EU GDPR Article 28 (Processor Contracts) and HIPAA §164.308(b)(1) (Business Associate Agreements).
• Where PCI DSS applies, vendor management obligations are enforced under PCI DSS v4.0 Req. 12.8 (Vendor Management); equivalent third-party risk obligations apply under other accepted frameworks.
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.
• Supplier collaboration and joint risk management are documented under ISO 44001:2017 Clause 6.3 (Collaborative Risk Management) and Clause 7.4 (Joint Incident Response).

2. Governance and Accountability

Vendor risk responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to vendor risk governance (ISO 27001 Clause 5.1).
• A formally appointed Vendor Risk Manager is accountable for supplier oversight (Clause 5.3).
• Department heads ensure vendor compliance within their teams.
• Quarterly vendor risk performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative vendor responsibilities are documented and reviewed annually (ISO 44001 Clause 5.2).
• Vendor governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation.

3. Risk Management

Vendor risks are identified, assessed, and treated systematically.

Policy Statements:

• Vendor risk assessments are conducted prior to onboarding and annually thereafter (ISO 27001 Clause 6.1.2).
• Risk treatment plans are documented and approved (Clause 6.1.3).
• Vendor risks are integrated into enterprise risk registers (ISO 22301 Clause 8.2).
• Cybercrime risks are explicitly tracked under applicable cybercrime legislation in each operating jurisdiction; representative references include the South Africa Cybercrimes Act (2020) and the Mauritius Cybercrime Act (2003/2018).
• Shared risk registers with strategic partners include vendor risks (ISO 44001 Clause 6.3).
• Vendor risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Vendor Onboarding and Contracts

Vendors are vetted and contractual obligations are enforced.

Policy Statements:

• Vendor due diligence is conducted prior to engagement, including security questionnaires and audits (SOC 2 CC9 Vendor Management).
• Contracts require compliance with applicable data protection, health-data, and payment-card obligations; representative references include EU GDPR Article 28, HIPAA §164.308(b)(1), and PCI DSS Req. 12.8.
• Contracts include clear escalation paths for incidents (ISO 44001 Clause 7.4).
• Vendor agreements require adherence to acceptable use policies (ISO 27001 Annex A.8.1).
• Vendor contracts mandate encryption of sensitive data (GDPR Article 32, PCI DSS Req. 3–4).

5. Monitoring and Oversight

Vendor performance is monitored continuously.

Policy Statements:

• Vendor compliance is monitored through audits and assessments (ISO 27001 Clause 9.2).
• Vendor risk dashboards are reviewed quarterly by management (Clause 9.3).
• External audits validate vendor compliance with SOC 2 Trust Services Criteria.
• Corrective actions are tracked and verified (ISO 9001 continual improvement).
• Vendor monitoring aligns with NIST CSF PR.IP (Protective Technology).

6. Incident Response and Continuity

Vendors participate in incident response and continuity planning.

Policy Statements:

• Vendor incident response obligations are documented in contracts (ISO 27001 Annex A.16.1, PCI DSS Req. 12.10).
• Vendors must notify the organisation of breaches within the timeframes required by applicable data protection law (representative window: 24 hours, based on EU GDPR Article 33 and POPIA Section 22).
• Vendor participation in continuity exercises is mandated (ISO 22301 Clause 8.4, SIAM v4).
• Vendor incident response integrates with enterprise risk reporting channels (COSO Principle 17: Risk Reporting & Communication, or equivalent).

7. Training and Awareness

Vendors are trained to meet organisational security standards.

Policy Statements:

• Vendors must provide evidence of employee security awareness training (ISO 27001 Annex A.7.2.2, PCI DSS Req. 12.6).
• Joint training exercises are conducted with critical suppliers (ISO 44001 Clause 7.2).
• Awareness campaigns reinforce vendor compliance culture.

8. Compliance Obligations

Vendor risk management complies with applicable laws and standards.

Policy Statements:

• Obligations under applicable data protection and health-data law are integrated into vendor contracts; representative regimes include EU GDPR, POPIA, HIPAA, and California CCPA/CPRA.
• Cross-border vendor engagements follows the lawful transfer mechanisms of applicable data protection law in each operating jurisdiction; representative references include EU GDPR Chapter V and Mauritius DPA Section 36.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, and Brazil LGPD.
• Vendor obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate vendor risk management effectiveness.

Policy Statements:

• Internal audits of vendor risk management are conducted annually (ISO 27001 Clause 9.2).
• Management reviews vendor risk performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: the cited SOC 2 criterion and equivalents under other accepted assurance frameworks.
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Vendor Risk Assessment Questionnaire.
• Appendix B: Vendor Onboarding Checklist.
• Appendix C: Standard Contractual Clauses (GDPR, HIPAA, PCI DSS).
• Appendix D: Vendor Incident Escalation Flowchart.
• Appendix E: Vendor Participation Agreement for Continuity Exercises.
• Appendix F: Vendor Audit Schedule.
• Appendix G: Post‑Vendor Review checklist.

Enterprise and Conglomerate implementation content will be added here.