This is a supply chain cyber security policy, which may be used by a customer for IT services to mitigate cyber security risks relating to those services. It may be included as a schedule to the IT services contract or as a stand-alone document. In either case, the obligations contained in the policy should be contractually enforceable.
The policy is available in standard (shorter) and premium (longer) forms.
This document was created by Emma Osborn of OCSRC (see https://ocsrc.co.uk).