Example Suppliers
Below are some examples of suppliers and how they might look once filled in.
Supplier Name
The name of the supplier.
Google
Supplier Description
A brief summary of what the supplier does for your organisation.
Used for Google Workspace suite including email.
Supplier Owner
The person responsible for the supplier.
Bilbo Baggins
Supplier Contact
The main point of contact for the supplier. This could be, for example, a support page on a website, or a name of a person responsible for liaising between your organisations.
Support Team
Supplier Email
The email address associated with the supplier.
support-in@google.com
Supplier Address
The address of the supplier.
Supplier Contact Number
The contact telephone number associated with the supplier.
Last Review Date
When the information for this supplier was last reviewed.
03/08/2023
Next Review Date
The date when this supplier will be next reviewed.
03/08/2024
Does the supplier hold ISO27001, or other externally validated certificate that is in line with or exceeds ISO27001?
Whether the supplier is certified against ISO27001. By Harpe's standards, holding an ISO27001 accreditation is an automatic pass in terms of security.
Yes
Does the supplier encrypt personal data at rest and in transit?
Encryption of data in transit and at rest refers to the process of converting sensitive data into a coded language that cannot be read or understood by unauthorised users while it is being transmitted from one location to another or securely stored.
Yes
Does the supplier adhere to the principle of least privileged and have access control processes in place?
The principle of least privilege is the practice of ensuring employees have the minimum amount of permissions required to do their job to combat permissions creep which could lead to a security risk if the wrong person has access to information that is higher than their rank.
Yes
Does the supplier have processes in place to address risk management?
Whether the supplier has risk management processes in place.
Yes
Does the supplier train and engage their employees to become cyber aware?
Whether the supplier engages in training employees to ensure they have enough knowledge to be resistant against common cybersecurity threats. For example, phishing emails.
Yes
Does the supplier have a process to manage assets throughout their lifecycle, including security and destruction?
Whether the supplier has an adequate process for the management of assets.
Yes
Does the supplier have a process to manage disaster recovery and the backups of critical systems?
Whether the supplier has a process for disaster recovery, including taking backups, to ensure system stability in the event of an incident.
Yes
Does the supplier have a processes in place to identify and remediate vulnerabilities such as penetration testing or vulnerability scanning?
Whether the supplier performs activities such as penetration testing or vulnerability scanning to identify vulnerabilities in their systems.
Yes
Does the supplier have logging and monitoring in place to identify incidents with their assets and data?
Whether the supplier has logging and monitoring enabled for their systems and tools to ensure any changes or breaches are recorded.
Yes
Does the supplier have an incident management process in place?
Whether the supplier has processes implemented to manage any occurred incidents.
Yes
Does the supplier have process in place to protect and manage their supply chain?
Whether the supplier has processes in place to ensure their supply chain is secure.
Yes
Are there contracts that cover security requirements, data protection requirements and confidentiality?
Whether there are legally binding contracts and policies in place with the supplier to ensure cybersecurity requirements are safeguarded.
Yes
Does the Supplier have a quality management system in place?
Whether the supplier has a system in place to ensure continued quality of its processes and deliverables.
Yes
Assessment result
Whether the supplier passes or fails based on the answers to these questions.
Pass
Conducted by
The person responsible for conducting this assurance assessment.
Bilbo Baggins
Disaster Recovery Plan
A step-by-step plan to enable business operations to be recovered or allowed to continue in the event of the supplier becoming unavailable or suffering an incident.
Step 1
* The Asset Owner shall contact Google Technical Support to establish downtime timeframe and assess if the provider will be able to restore services within our required timeframe, the asset owner shall be responsible for regularly requesting updates from the supplier until service is restored.
Step 1a
* The Asset Owner shall communicate with applicable colleagues and customers to inform them of the downtime of the application and include an estimated timeframe upon resolution.
Step 1b
* Staff shall use alternative methods of communication for internal use such as Slack.
Step 1c
* The applicable teams shall communicate with customers via other methods until service is restored
Step 1d
* Continue to chase supplier until service is restored
ONLY begin Step 2 if service is unable to be fully restored and downtime has reached an unacceptable timeframe and has an unacceptable operational impact on the business;
Step 2
* If service is unable to be restored fully the Asset Owner shall Asses an alternative ensuring Procedure - Supplier Evaluation Policy is followed if equivalent suppliers are not approved.
Step 3
* Upon successful approval of the new supplier the Asset Owner shall liaise with the necessary teams to procure the new service
Step 4
* The Asset Owner shall inform the Team when the new service is expected to go-live.
* The Asset Owner shall inform the Team of their intention if the new supplier is to become permanent or as a temporary measure.
* The Asset Owner the new Supplier within the Asset Register and Security Assurance Tracker.
Step 5
* The Asset Owner shall ensure applicable staff members are trained on the new software by organising training material which can be in the form of a presentation.
Step 6
* The Asset Owner shall liaise with the Information Security team in order to complete a business impact assessment.
Security Considerations during DR
Any security considerations that must be paid attention to in the event of the supplier becoming unavailable or suffering an incident.
Reduced productivity: Businesses that rely on Gmail and Drive for communication and collaboration would be unable to access their emails and documents, which could lead to reduced productivity as employees struggle to communicate and work together. This could also lead to security risks, as businesses would be more likely to share sensitive information via unsecured channels if their email and documents are unavailable.
Increased IT costs: Businesses would need to invest in additional IT resources to manage their email and documents with alternative solutions if Gmail and Drive are unavailable. This could include purchasing new software, hiring additional IT staff, or using cloud-based solutions from other providers.
Data loss: In some cases, a major disaster at Google could lead to data loss. This could happen if Google's data centers were to be damaged or if there was a data breach. Businesses would be liable for any costs associated with data loss, including legal fees, lost business, and customer dissatisfaction.
Customer dissatisfaction: Businesses that rely on Gmail and Drive to communicate with customers would likely experience increased customer dissatisfaction if they are unable to provide their customers with the services they expect. This could lead to lost customers and revenue.
RPO (Recovery Point Objective)
The maximum tolerable loss of data in terms of time. For example, a loss in 2 hours work worth of data.
2 hours
RTO (Recovery Time Objective)
The maximum tolerable time in which a supplier can be unavailable. For example, if the RTO is 2 hours then the supplier should be available again after failure in less than 2 hours.
2 hours
BIA Owner
The person who is responsible for this disaster recovery assessment.
Bilbo Baggins
Last updated