VOICECOM

Supplier Security Policy

Internal document
 Procedure Ref : PO-DSIXXX
Version : 0.1
Supplier Security Policy Date : 26/09/2020
Page : 2/5

Public Internal Confidential Top Secret

1 Introduction
2 Scope
This policy sets out VOICECOM’s requirements that must be met by contractors in the
handling, management, storage and processing its information.

3 Revision History
Revision Date Record of Changes Approved By
0.1 09.26.2020 Initial Issue

4 Control of hardcopy versions

The digital version of this document is the most recent version. It is the responsibility of the
individual to ensure that any printed version is the most recent version. The printed version
of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
the <Document Controller> and provided with a document reference number and revision in
the fields below:
Document Ref. Rev. Uncontrolled Copy X Controlled Copy

5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
ISO 19011:2011 Auditing Management Systems Guidelines for auditing

6 Definitions
 our “compliance obligations” are our information security obligations under law,
regulation, contract and ISO 27001

 “information assets” include information, information assets and information systems

 “information security” is the preservation of confidentiality, integrity and availability of

VOICECOM’s information.
Depending on circumstances, “information security” may also include the
authenticity, accountability, non-repudiation and reliability of VOICECOM’s
information.

 “information risk” is the risk or risks to the security of VOICECOM’s information

Supplier Security Policy Page 2 of 5

 Procedure Ref : PO-DSIXXX
Version : 0.1
Supplier Security Policy Date : 26/09/2020
Page : 3/5

Public Internal Confidential Top Secret

 “staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.

 “we” and “our” refer to VOICECOM

7 Responsibilities
The <ISMS Manager> and <Purchasing Manager> are jointly responsible for all aspects of
the implementation and management of this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of these arrangements
within the scope of their responsibilities and must ensure that all staff under their control
understand and undertake their responsibilities accordingly.

8 Information Security
This policy has been framed as a generic policy for your guidance. It may need editing to
meet your specific requirements.

9 General
We require that the security of our information to be maintained in order to ensure that we
are able to rely on our information for our business needs and to meet our compliance
obligations.

10 Information risk assessment and management

Our information security risk assessment methodology is set out in our Control of Risks and
Opportunities Procedure.

11 Compliance obligations
List your legal, regulatory and contractual obligations here.

For example, in the UK, the list might include:

 Civil Evidence Act 1968

 Communications Act 2003

 Computer Misuse Act 1990

 Copyright (Computer Programs) Regulations

 Data Protection Act 1998

 Environmental Information Regulations 2004

 Freedom of Information Act 2000

 Human Rights Act 1998

 Police and Criminal Evidence Act 1985

Supplier Security Policy Page 3 of 5
 Procedure Ref : PO-DSIXXX
Version : 0.1
Supplier Security Policy Date : 26/09/2020
Page : 4/5

Public Internal Confidential Top Secret

 Public / Internal / Confidential (Delete as appropriate] Records Acts 1958 and 1967

 Regulation of Investigatory Powers Act 2000

 Telecommunications (Lawful Business Practice) (Interception of Communications)

Regulations 2000

 The Official Secrets Act 1989

 Wireless Telegraphy Act 1949

Any organisation accessing, processing, communicating or managing our information must
do so in such a way that these obligations are met.
Any processing of personal data outside the United Kingdom may only take place with the
prior written permission of our <ISMS Manager>.

12 Access to our information assets

 any person accessing our information assets must either hold, or be prepared to
apply for: identity, nationality, criminal and, where necessary, security clearance

 access granted to information assets will be the minimum necessary to achieve the
required purposes

 all of our equipment and security passes must be returned prior to the termination of
the contract

 persons granted access to our information assets must comply with our security
requirements
Failure to comply with these requirements and other relevant instructions may
constitute a breach of contract and lead to termination or legal action.

 we may monitor the use of its information assets for business purposes

 any removable media containing our information must be encrypted to a degree

commensurate with the security classification of the information held within the
removable media

 removable media (including laptops and tablets) may only be used to manage our
information with our explicit consent

 supplier personnel may only enter our premises with an appropriate security pass
and the scope of their access may be further limited within our premises

13 Information Security Management System Controls

 where a supplier is contracted to manage our information assets, the supplier must
ensure that an information security management system employed to secure our
information assets is in place, and complies with ISO 27001:2013

Supplier Security Policy Page 4 of 5

 Procedure Ref : PO-DSIXXX
Version : 0.1
Supplier Security Policy Date : 26/09/2020
Page : 5/5

Public Internal Confidential Top Secret

 satisfactory evidence of compliance to ISO 27001:2013 must be provided, preferably

through formal certification, before any of our information assets are accessed by the
supplier
This may go too far, it depends on your circumstances if you wish to limit your
potential suppliers in this way

 a supplier holding our data on our behalf must have in place processes to ensure that
such data can be promptly and efficiently recovered following an emergency

 our information may not be copied by any supplier other than as far as is necessary
for providing the agreed service

 our live data and information may not be used for test purposes
Data and information to be used for test purposes must be altered, in such a way that
none of our live data or information can be reconstructed from that used for test
purposes.

 suppliers must agree to permit, and facilitate, audits of all aspects of their information
security management system by ourselves, or our appointed agents, and to address
any findings of such audits in order to preserve the security of information to our
standards and requirements

 suppliers must have a security incident reporting process in place to a standard and
design acceptable to ourselves, to ensure that any incidents involving our information
are immediately reported to us
Suppliers must agree to undertake any remedial action required by us and ensure
that this is auditable.

 the transmission of information between ourselves and a supplier must be encrypted

to a level commensurate with the security classification of the information and to our
requirements

1 Records
Records retained in support of this procedure are listed in the appropriate Controlled
Records Register and controlled according to the Control of Management System Records
Procedure.

Supplier Security Policy Page 5 of 5