Supply chain cyber security policy

This is a supply chain cyber security policy, which may be used by a customer for IT services to mitigate cyber security risks relating to those services. It may be included as a schedule to the IT services contract or as a stand-alone document. In either case, the obligations contained in the policy should be contractually enforceable.

The policy is available in standard (shorter) and premium (longer) forms.

This document was created by Emma Osborn of OCSRC (see https://ocsrc.co.uk).

Standard policy:

1. Introduction
2. Definitions
3. Status of this Policy
4. Cyber security risks
5. Cyber security approach
6. Cyber security requirements
7. Actions upon termination

ANNEX 1 (EVIDENCE REQUIRED OF COMPLIANCE)
ANNEX 2 (ADEQUATE ENCRYPTION STANDARDS)

Premium policy:

1. Introduction
2. Definitions
3. Status of this Policy
4. Cyber security risks
5. Cyber security approach
6. Cyber security requirements
7. Evidential requirements and auditing
8. Detecting cyber security breaches
9. Responding to cyber security breaches
10. System and Policy reviews and updates
11. Actions upon termination

ANNEX 1 (EVIDENCE REQUIRED OF COMPLIANCE)
ANNEX 2 (ADEQUATE ENCRYPTION STANDARDS)
ANNEX 3 (FORM OF NOTIFICATION OF CYBER SECURITY BREACH)

1. Introduction
2. Description of cyber security breach
3. Parts of Provider System affected
4. Proportion of data assets affected
5. Is personal data concerned?
6. Likely consequences of breach
7. Measures taken to address breach
8. Has anyone other than the Customer been notified of the breach?
9. Late report of breach
10. Contact details

Ask a question

A copy of this supply chain cyber security policy is included in the following pack:

• Cyber security pack