Supplier Onboarding
Confluence page header
Page title: Supplier Onboarding
Parent: ISMS Home → 09 · Supplier Security Policy
SCM variant: isms-all-staff (read — visible to procurement, HR, and IT Operations
staff who manage supplier relationships)
isms-management (read)
isms-security (full access — CISO maintains)
isms-it-staff (read — IT Operations conducts the technical steps)
Page owner: CISO (security obligations) + IT Manager (technical access steps)
Last reviewed: [DATE]
Next review: Annual
Related pages: Supplier Security Obligations (standard-tier obligations)
Critical Supplier Security Obligations (enhanced tier)
09 · Supplier Security Policy (parent policy)
FC-03 · User Access Control (technical provisioning detail)
EV-C → Risk Management → Supplier Assessments (evidence filing)
Who this page is for
This page is for three audiences simultaneously, and the content is structured to serve each without duplicating effort.
Procurement and commercial staff who are setting up a new supplier relationship need to know what security steps must happen before the supplier's contract is executed and before access is granted. This page defines those steps and makes clear which ones require CISO involvement. The commercial team should read Sections 1 and 2 before any supplier engagement begins.
IT Operations staff who receive a request to provision supplier accounts or access need a complete technical checklist they can work through. This page gives them the provisioning steps, the prerequisites that must be confirmed before they act, and where to file the evidence. Sections 4, 5, and 6 contain the operational detail.
Suppliers and their security contacts who have just been told they will be working with us and need to understand what security obligations apply to their engagement, what they need to provide, and what access they will get. The supplier-facing content is in Sections 1 and 3, written in plain English without assuming familiarity with our internal systems.
If you are a supplier reading this page: welcome. We have designed this onboarding process to be straightforward. Most of the steps are things your organisation should already have in place. Where we ask for documentation or confirmation, we explain why. If anything is unclear, contact the CISO at [ciso@organisation.com].
Section 1 — Before access is granted: what must happen first
This section establishes the sequence that must be followed for every new supplier engagement involving system access or data handling. The sequence cannot be reordered. Access is never granted speculatively, provisionally, or as a favour ahead of the formal process completing.
The mandatory sequence
SUPPLIER ONBOARDING SEQUENCE — all steps must be completed in order
Step 1: Commercial team notifies CISO of the proposed engagement
Before the contract is signed
CISO determines: Standard-tier or Critical-tier
CISO confirms: what security obligations apply and whether any gaps exist
Step 2: NDA signed (if not already covered by main contract)
Before any confidential information is shared
Before any system access is granted
NDA must be signed by an authorised officer of the supplier company
Step 3: Supplier tier designation confirmed and communicated to supplier
CISO sends the supplier the relevant obligations page:
Standard-tier: Supplier Security Obligations
Critical-tier: Critical Supplier Security Obligations (in addition to Standard)
Step 4: Supplier screening confirmed (for individual personnel)
For Standard-tier: employer reference + right to work verification
For Critical-tier (OFFICIAL or CUI access): BPSS screening confirmed
Screening must be COMPLETED before accounts are created — not running
concurrently
Step 5: Supplier security questionnaire submitted and reviewed
Standard-tier: standard self-assessment questionnaire
Critical-tier: critical supplier annual assurance questionnaire
CISO reviews and confirms no blocking issues before proceeding
Step 6: Supplier added to the supplier register
CISO creates or updates the supplier record in EV-C → Supplier Assessments
Risk rating assigned: Green / Amber / Red
Critical-tier: also added to the Critical Supplier Register (management view)
Step 7: IT Operations provisioning
IT Operations receives the provisioning request from CISO (not directly
from the supplier or the commercial team)
All prerequisites in Step 4 and Step 5 must be confirmed before this step
Step 8: Supplier security induction
All supplier personnel with access complete the condensed security induction
Induction must be completed before first use of granted access
Completion recorded in the supplier register
Step 9: Access activated
IT Operations confirms all checklist items complete
Access activated — supplier notified by IT Operations
Step 10: Engagement active
Annual assurance cycle begins from the date of access activation
First annual questionnaire due within 12 months of activation date
(usually within the annual cycle deadline of [31 March] whichever is sooner)
The most important rule: The commercial team may sign contracts and begin commercial negotiations at any point. They may share information that is not classified as INTERNAL or above. They must not grant, promise, or imply that system access will be available before the CISO has confirmed Steps 4 and 5 are complete. IT Operations must not action any provisioning request that does not come with CISO confirmation that the prerequisites are met.
What triggers the onboarding process
The commercial team or any internal manager who identifies a need to engage a third party with system access or data handling responsibilities must notify the CISO. The notification should happen before the contract is signed — ideally at the point where the procurement decision is made.
Notification must be sent when a supplier will: - Access our IT systems remotely or on-site - Access our internal network (including guest network access where the engagement involves data discussion) - Store, process, or transmit any information we classify as INTERNAL or above - Have physical access to our Zone 2 or Zone 3 areas on a recurring basis (more than a one-off visit) - Sub-contract work that itself involves any of the above
Notification is not required for: - Purely commercial conversations (calls, meetings in Zone 1, email exchange about commercially public information) - One-off site visits fully escorted in Zone 1 only - Suppliers from whom we purchase physical goods with no ongoing digital relationship
When in doubt, notify the CISO. The cost of a notification that turns out not to be needed is thirty seconds. The cost of proceeding without notification is a compliance gap that may not be discovered until an assessment.
Section 2 — How to notify the CISO of a new supplier engagement
Notification form — complete and email to [ciso@organisation.com]
This form is used by the commercial team, procurement staff, or any internal manager to initiate the supplier onboarding process. Send by email with the subject line: "New Supplier Engagement — [Supplier name] — [YYYY-MM-DD]"
NEW SUPPLIER ENGAGEMENT NOTIFICATION
Your name and role:
Name: _________________________________________________
Role: _________________________________________________
Department: _________________________________________________
Supplier details:
Company name: _________________________________________________
Website: _________________________________________________
Primary contact at supplier:
Name: _________________________________________________
Role: _________________________________________________
Email: _________________________________________________
Phone: _________________________________________________
Engagement description:
What will this supplier do for us? (brief description):
_______________________________________________________________
_______________________________________________________________
Access requirements (tick all that apply):
☐ Remote access to our IT systems
Specify which systems: _______________________________________
☐ On-site access — Zone 2 (general office areas)
☐ On-site access — Zone 3 (server room / secure areas)
Specify what work: __________________________________________
☐ Access to our data (describe below)
☐ Physical delivery / installation only (no ongoing system access)
☐ Other — describe: __________________________________________
Data access:
Will this supplier handle any of our classified information?
☐ No — purely commercial / public information only
☐ Internal information (commercially confidential)
☐ Official (HMG classification — MOD contract work)
☐ CUI (Controlled Unclassified Information — US DoD contract work)
☐ Personal data (employee, customer, or supplier data)
☐ Unsure — please advise
Contract status:
☐ Contract not yet drafted — early engagement
☐ Contract in negotiation — security schedule not yet attached
☐ Contract ready — awaiting security sign-off before execution
☐ Contract executed — access has not yet been granted
☐ Access already granted — retrospective onboarding needed
[If this last box is ticked: the CISO will treat this as urgent.
Access granted without the onboarding process completing is a
compliance gap. Contact CISO directly by phone.]
Named individuals (if known at this stage):
Name | Role | Expected access type
──────────────────────────────────────
[Name] | [Role] | [describe]
Proposed start date for access: ________________________________
Anything else we should know:
_______________________________________________________________
Send to: [ciso@organisation.com]
Subject: New Supplier Engagement — [Supplier name] — [YYYY-MM-DD]
What the CISO does with the notification
Within 3 business days of receiving the notification, the CISO will:
- Acknowledge receipt and provide an onboarding reference number
- Confirm the tier designation (Standard or Critical) and send the supplier the relevant obligations page
- Advise the commercial team whether a separate NDA is needed or whether the main contract will cover confidentiality
- Confirm the screening requirement for the named individuals
- Send the supplier the relevant questionnaire to complete
- Advise the commercial team of any security provisions that must appear in the contract before it is executed
The CISO will not provisionally grant access while onboarding is in progress. If the commercial team receives pressure from the supplier to grant early access, contact the CISO — there are sometimes ways to structure limited early engagement that do not compromise the onboarding process, but these need CISO involvement to manage safely.
Section 3 — NDA requirements
When an NDA is required
An NDA (Non-Disclosure Agreement) or equivalent confidentiality obligation must be in place before any of the following:
- Sharing information classified as INTERNAL, OFFICIAL, or CUI with the supplier
- Granting access to our systems in any capacity
- Discussing the specific details of our ISMS, security architecture, or compliance posture
In many supplier relationships, confidentiality is covered by the main commercial contract — a standard services agreement or master services agreement typically includes confidentiality clauses that are equivalent to a standalone NDA. The CISO will confirm whether the main contract provides adequate confidentiality coverage or whether a separate NDA is needed.
A supplier who asks to see our security architecture details, technical infrastructure, or compliance documentation for the purpose of scoping their services must have a confidentiality obligation in place before that information is shared. Do not share architectural details with a potential supplier on the basis that "we're still in procurement" — this information is INTERNAL classified and the confidentiality obligation must precede the sharing.
What the NDA must cover
The NDA or equivalent confidentiality provision must cover, at minimum:
MINIMUM NDA PROVISIONS
1. Definition of confidential information
Covers: technical and commercial information provided by either party;
our security architecture, ISMS documentation, and compliance posture;
CUI (if applicable — must be specifically referenced); OFFICIAL
information (if applicable); personal data.
2. Permitted use
Confidential information provided by us may only be used for the
specific purpose of the engagement described in the contract.
It may not be used for competitive intelligence, market research,
or any other purpose.
3. Non-disclosure obligation
The supplier will not disclose our confidential information to any
third party without our written consent. This includes disclosure to
the supplier's own sub-contractors, affiliates, and parent companies
unless specifically agreed.
4. Security obligations
The supplier will protect our confidential information using at least
the same measures they apply to their own confidential information,
and in no event less than reasonable security measures.
5. Survival on termination
The confidentiality obligation survives termination of the engagement
for a minimum of 5 years. For CUI: no fixed survival period — the
obligation to protect CUI does not expire.
6. Return or destruction
On termination, all confidential information will be returned or
securely destroyed within 30 days, with written confirmation.
7. Governing law
English law governs the NDA for UK-based suppliers.
For international suppliers: agree with legal counsel.
Supplier NDA file
All executed NDAs are filed by the CISO at: EV-C → Risk Management → Supplier Assessments → [Supplier name] → NDA
Retention: contract duration + 6 years.
Section 4 — Supplier register process
What the supplier register is
The supplier register is the organisation's authoritative record of all active supplier relationships involving system access, data handling, or physical access to controlled areas. It is maintained by the CISO and reviewed quarterly as part of the supplier governance programme.
For each supplier, the register records:
SUPPLIER REGISTER FIELDS
Per supplier:
Company name Legal name of the supplier
Onboarding ref SR-[YYYY]-[NNN] — assigned by CISO at onboarding
Tier Standard / Critical
Services provided Brief description of the contracted services
Access type Remote system / On-site Zone 2 / Zone 3 / Data only
Data classifications None / Internal / Official / CUI / Personal data
Named individuals Current named individuals with access (linked to EV-D03)
Screening level None / Employer reference / BPSS / SC — per individual
NDA status In main contract / Standalone NDA — date signed
Certifications held ISO 27001 / CE+ / SOC 2 / CMMC — cert numbers and dates
Risk rating Green / Amber / Red
Last assessment Date of last questionnaire review
Next assessment due Date of next annual questionnaire deadline
CISO assigned Named CISO contact for this relationship
Contract reference Reference to the main contract document
Contract expiry Date
Sub-contractors Any approved sub-contractors on this engagement
Per named individual (linked from supplier record):
Full name _______________
Role _______________
Email _______________
Access type _______________
Screening level None / Employer ref / BPSS / SC
Screening date _______________
Account created _______________
Access expires _______________
Training completed Date of security induction completion
How to add a new supplier to the register
The CISO adds suppliers to the register. Internal staff do not add suppliers directly. The process is:
- Commercial team submits the new supplier notification form (Section 2)
- CISO creates a new supplier record with onboarding reference SR-[YYYY]-[NNN]
- CISO completes the register fields as onboarding progresses
- Register is considered complete when all prerequisites in Step 1 through 8 of the mandatory sequence are confirmed
The register is accessible at: EV-C → Risk Management → Supplier Assessments → Supplier Register [live page — isms-security access]
A management summary view (risk ratings and assessment status only) is in the Supplier Governance and Business Continuity Oversight page under the isms-management SCM variant.
Keeping the register current
The register is a live document. The following events trigger an update:
Event Who updates Timeline
─────────────────────────────────────────────────────────────────────────────
New supplier added CISO At onboarding
Named individual leaves the supplier Commercial Same day — notify
and their access must be revoked or IT Ops CISO who updates
Named individual added to the engagement Commercial Before access
or IT Ops is granted
Supplier certification lapses or changes Supplier or Within 10 days
CISO of discovery
Risk rating changes CISO On assessment
Contract renewed or extended Commercial Before expiry
Contract terminated Commercial On termination
Sub-contractor approved CISO At approval
Annual assessment completed CISO Within 5 days
of assessment
Section 5 — Security induction for supplier personnel
What the security induction is
Every individual from a supplier organisation who will have access to our systems, data, or controlled areas must complete a security induction before their access is activated. The induction takes approximately 30 minutes and covers the security obligations specific to their engagement.
The induction is not the same as our annual all-staff security awareness training. It is a condensed programme designed to give supplier personnel the specific information they need to operate safely and compliantly within our environment from day one. The induction covers:
- What they can and cannot access within their granted scope
- How to handle the information they will encounter (classification and marking)
- Our incident reporting process: who to call, when, and what to say
- Physical security: sign-in procedures, escorted access, clear desk, badge wearing
- Device standards: what their devices must have active to access our systems
- MFA enrolment: how to set up multi-factor authentication for their accounts (for Standard-tier); FIDO2 hardware token setup (for Critical-tier)
- Prohibited behaviours: sharing credentials, taking photographs, using personal cloud storage for our data
- What happens when their engagement ends: account deactivation obligations
Delivery and completion recording
The induction is delivered by one of the following methods, depending on the nature and scale of the engagement:
Delivery method Used for Recorded as
──────────────────────────────────────────────────────────────────────────
LMS online module Standard-tier suppliers LMS completion
(self-paced, 30 min, with remote access only record (name,
quiz with 80% pass mark) where in-person delivery date, score)
is impractical
In-person briefing All Critical-tier suppliers; Attendance record
by CISO or IT Manager on-site maintenance with signature
(structured agenda, contractors; anyone with from each
discussion format) Zone 3 access individual
Hybrid: online module Standard-tier with on-site Both LMS and
followed by on-site access and remote access attendance record
physical security walk
The completion record is filed in the supplier register for the relevant individual and in EV-B → Policy and Training → Supplier Induction Records → [Supplier name] → [YYYY].
Access is not activated until induction completion is confirmed. IT Operations will not activate accounts or access cards until the CISO or HR confirms that induction is recorded as complete for each named individual.
What to cover in an in-person supplier induction
For IT Operations staff or the CISO conducting an in-person supplier induction, the following structured agenda ensures consistent delivery:
SUPPLIER SECURITY INDUCTION — IN-PERSON AGENDA
Duration: 30–45 minutes
SECTION 1: Who we are and what we're protecting (5 minutes)
Brief context: what type of information we handle (CUI, OFFICIAL)
Why security matters: our regulatory obligations (DFARS, DEFSTAN, ISO 27001)
What this means for the supplier: they are part of our compliance boundary
SECTION 2: Information classification and handling (10 minutes)
Walk through the classification levels: Public, Internal, Official, CUI
How to identify classified information when they encounter it
What they can and cannot do with classified information:
Can: use it for the contracted purpose; store it only on approved systems
Cannot: email it unencrypted; put it in personal cloud; discuss it externally
Practical example: "If you find a document marked OFFICIAL on a printer,
this is what you do..."
SECTION 3: Access and authentication (5 minutes)
Their specific account and what it gives access to
MFA: what they will need to do every time they log in
Sharing credentials: not under any circumstances
If their password is compromised: who to call
SECTION 4: Incident reporting (5 minutes)
Definition of what counts as a security incident for them to report
How to report: call CISO directly on [number]
When: immediately — not after investigation; not after business hours
What to include in the report (brief summary)
The no-blame culture: reporting early is always the right thing to do
SECTION 5: Physical security (5 minutes — adjust for on-site suppliers only)
Sign-in and sign-out at reception every time
Wearing the badge — always visible
Escorted access in Zone 2 and Zone 3
What to do if they see someone in a restricted area without a badge
Clear desk: what to do with our printed materials at end of day
SECTION 6: Devices (5 minutes)
Device standards: what must be active (AV, FDE, updates)
Personal devices: no personal cloud storage; no unauthorised software
If their device is lost or stolen: who to call and when
SECTION 7: End of engagement (5 minutes)
When their engagement ends, their access will be deactivated same day
They must not take copies of our data when they leave
Confidentiality obligation continues after the engagement ends
Confirmation:
Each individual signs the induction acknowledgement form
(Template: EV-B → Policy and Training → Supplier Induction Records →
Acknowledgement Form Template)
Section 6 — Security onboarding checklist
This is the operational checklist for IT Operations staff and the CISO. Every box must be ticked and the completed checklist filed before access is activated. The CISO owns the checklist and is the only person who can confirm completion and authorise the "Access activated" step.
For each new engagement, copy this checklist to a new child page at: EV-C → Risk Management → Supplier Assessments → [Supplier name] → Onboarding Checklist [YYYY-MM]
Part A — Prerequisites confirmed by CISO (before provisioning is requested)
PREREQUISITE CONFIRMATION — CISO section
Onboarding reference: SR-[YYYY]-[NNN]
Supplier name: ________________________________________________
Engagement description: ________________________________________________
Tier designation: ☐ Standard ☐ Critical
Date tier confirmed: ________________________________________________
CISO contact: [CISO name]
☐ A.1 Commercial notification received
Received from: _____________________ Date: _________________________
Commercial contact: _______________________________________________
☐ A.2 CISO tier determination communicated to supplier
Sent to: __________________________ Date: _________________________
Tier: Standard / Critical
☐ A.3 Obligations page sent to supplier
☐ Standard-tier: Supplier Security Obligations page link sent
☐ Critical-tier: Critical Supplier Security Obligations page link sent
Date sent: ________________________________________________________
Supplier confirmed receipt: ☐ Yes Date: __________________________
☐ A.4 NDA or equivalent confidentiality confirmed
☐ Main contract contains adequate confidentiality provisions
Contract reference: _____________________________________________
☐ Standalone NDA executed
NDA date: _____________ Signed by: _____________________________
Filed at: EV-C → Supplier Assessments → [Supplier] → NDA
☐ Not required — engagement does not involve Internal or above data
☐ A.5 Security questionnaire submitted and reviewed
☐ Standard-tier questionnaire received: Date ______________________
☐ Critical-tier assurance questionnaire received: Date _____________
☐ Questionnaire reviewed by CISO: Date ___________________________
☐ Blocking issues identified: ☐ None ☐ Yes — resolved: __________
☐ Risk rating assigned: Green / Amber / Red
Note: If Red, management decision required before proceeding. Do not
continue this checklist without management sign-off.
☐ A.6 Named individuals confirmed for access
List confirmed: ☐ Yes Number of individuals: ____________________
Individual names and roles provided by supplier: ☐ Yes Date: _____
☐ A.7 Screening confirmed for each named individual
For each individual, confirm screening level:
Name | Screening required | Screening completed | Confirmed by | Date
─────────────────────────────────────────────────────────────────────────
[Name] | [BPSS / Emp ref / None] | ☐ Yes ☐ Pending | [supplier CISO] | [date]
[continue]
Critical rule: No account is created for any individual whose
screening has not been confirmed as complete. "In progress" does
not satisfy this gate.
☐ A.8 Sub-contractors confirmed
☐ No sub-contractors involved in this engagement
☐ Sub-contractors involved — all listed and CISO-approved:
Sub-contractor names: ___________________________________________
CISO approval date: _____________________________________________
☐ A.9 Contract security schedule confirmed
☐ Standard security schedule attached to contract: ☐ Yes ☐ No
☐ Critical security schedule attached (Critical-tier only): ☐ Yes ☐ No
☐ Not applicable — contract does not require a security schedule
Contract reference: ______________________________________________
Contract executed date: __________________________________________
☐ A.10 Supplier added to supplier register
Register record created at: EV-C → Supplier Assessments → [Supplier name]
Date added: ______________________________________________________
Risk rating recorded: Green / Amber / Red
CISO confirms all Part A prerequisites met and provisioning authorised:
CISO name: _____________________________ Date: __________________________
Note: IT Operations must not provision access until receiving CISO sign-off
on this section. Email from CISO to [itoperations@organisation.com] confirming
SR-[YYYY]-[NNN] prerequisites complete is the provisioning trigger.
Part B — Technical provisioning (IT Operations section)
Completed after receiving CISO authorisation from Part A. Each account provisioned for each named individual requires a separate entry in EV-D03 (JML log).
TECHNICAL PROVISIONING — IT Operations section
Provisioning request received from CISO: Date ________________________________
Onboarding reference: SR-[YYYY]-[NNN]
FOR EACH NAMED INDIVIDUAL — complete one block per person:
Individual 1:
Full name: _______________________________________________________________
Supplier role: ___________________________________________________________
Access type required (from CISO authorisation):
☐ Remote access — specify systems: ____________________________________
☐ On-site Zone 2 access (ACS card)
☐ On-site Zone 3 access (ACS card — requires CISO sign-off per individual)
☐ VPN access
☐ Specific application access — specify: ________________________________
Account creation:
☐ B.1 JML provisioning ITSM ticket created
Ticket number: __________________________________________________
☐ B.2 Account created in Entra ID / AD
UPN: ___________________________________________________________
Account created date: ___________________________________________
Password set to temporary (must change on first login): ☐ Confirmed
☐ B.3 Access groups assigned per CISO authorisation
Groups assigned: ________________________________________________
Groups verified as minimum required for the engagement: ☐ Confirmed
☐ B.4 MFA configured
☐ Standard-tier: Microsoft Authenticator — setup email sent to supplier
☐ Critical-tier: FIDO2 hardware token issued
Token serial number: __________________________________________
Issued to: _________________ Date: ____________________________
☐ B.5 Conditional Access verified
Account is covered by CA policies CA-001 and CA-002: ☐ Confirmed
Account cannot bypass MFA: ☐ Confirmed
☐ B.6 ACS card provisioned (on-site access only)
☐ Zone 2: AG-AllStaff-Zone2 assigned Card number: ______________
☐ Zone 3: AG-ITOps-Zone3 assigned (CISO approval ref: ___________)
Card issued to: _____________________ Date: _____________________
Card tested on reader before issue: ☐ Confirmed
☐ B.7 VPN access configured (remote access only)
Added to VPN-Suppliers group: ☐ Confirmed
VPN connection tested by IT Operations: ☐ Confirmed
☐ B.8 Account listed in EV-D03 JML log with all fields completed
Screening date recorded (must precede account creation date): ☐ Confirmed
JML log entry complete: ☐ Confirmed
[Repeat this block for each additional named individual]
Access activation hold — do not activate until Part C is also complete.
IT Operations lead on this provisioning:
Name: _________________________________ Date: ___________________________
Part C — Induction and final activation (shared section)
INDUCTION AND FINAL ACTIVATION
☐ C.1 Security induction completed for all named individuals
Delivery method: ☐ LMS online ☐ In-person ☐ Hybrid
Per individual:
Name | Induction date | Delivery method | Score (LMS) | Signature (in-person)
───────────────────────────────────────────────────────────────────────────────
[Name] | [Date] | [LMS/In-person] | [%/N/A] | [✓/N/A]
Induction records filed at:
EV-B → Policy and Training → Supplier Induction Records → [Supplier] → [YYYY]
☐ C.2 Device standards check (remote access suppliers)
For each individual with remote access, confirm device standards met:
☐ The supplier has confirmed in writing that devices used to access
our systems meet the minimum standards in the Supplier Security
Obligations page (Section 1.1.2)
☐ Critical-tier: device compliance verification method agreed:
☐ MDM enrolment ☐ IT Operations inspection ☐ Written declaration
Written confirmation received from: _________________ Date: _________
☐ C.3 First access test (IT Operations)
☐ IT Operations has confirmed the account works as expected
(can access the specified systems; cannot access out-of-scope systems)
☐ Zone 3 test confirmed (if Zone 3 access was granted):
Test with escort: _________________ Date: ________________________
☐ C.4 Access expiry date set (for fixed-term engagements)
☐ Account expiry date set in Entra ID: [DATE] (matches contract end date)
☐ ACS card expiry set: [DATE]
☐ Reminder created in CISO calendar 30 days before expiry
☐ Not applicable — open-ended engagement (access reviewed quarterly)
☐ C.5 Supplier notified of account details
☐ Account credentials sent to supplier's named security contact
(not to a group mailbox; not CC'd to other parties)
☐ Temporary password sent separately from the username
(separate email or confirmed via phone)
☐ MFA setup instructions included
☐ C.6 Onboarding register updated
☐ Supplier register updated with:
Activation date: [DATE]
Named individuals: [confirmed list]
Risk rating: Green / Amber / Red
Next annual questionnaire due: [DATE]
☐ EV-D03 entries confirmed complete for all provisioned individuals
☐ C.7 Handover to ongoing management
☐ Commercial contact confirmed for this engagement: _______________
☐ Quarterly access review schedule: this supplier will appear in
the next EV-D01 quarterly privileged review if they have privileged
access, or the annual EV-D02 all-user review
☐ Annual questionnaire calendar reminder created: [DATE]
☐ Contract expiry calendar reminder created: [DATE — 90 days before]
FINAL ACTIVATION CONFIRMATION
I confirm that all prerequisites in Parts A, B, and C of this checklist
have been completed. Access for [supplier name] engagement SR-[YYYY]-[NNN]
is authorised to be activated.
CISO: _____________________________ Date: _________________________
IT Manager: _____________________________ Date: _________________________
Access activated: Date _________________ Time _________________ by: _________
Section 7 — Access deactivation at engagement end
Access deactivation is as important as access provisioning. The same sequence that must be followed when access is granted applies — in reverse — when it ends. A supplier account that remains active after the engagement ends is both a security risk and a compliance gap.
What triggers deactivation
Trigger Timeline Who initiates
──────────────────────────────────────────────────────────────────────────────
Contract ends on planned end date Same day Commercial team
notifies CISO
Contract terminated early Same day Commercial team
notifies CISO
Named individual leaves the supplier Same day Supplier CISO
and ceases involvement in our engagement on discovery notifies our CISO
Named individual moves to a different Before role Commercial team
role within the supplier with different change takes or supplier CISO
access requirements effect notifies our CISO
Supplier's risk rating changes to Red Within 24 hours CISO decision —
and access restriction is required of Red rating management input
confirmed may be required
Account expiry date reached (fixed-term) Same day Automatic — IT
Operations confirms
Deactivation procedure
When the CISO receives a deactivation trigger:
DEACTIVATION STEPS — IT Operations executes; CISO confirms
☐ D.1 Entra ID account disabled (not deleted — retain for 90 days)
Same day as trigger
Accounts are disabled, not deleted, to preserve the audit trail
☐ D.2 All active sessions revoked
Revoke-MgUserSignInSession — immediately after disable
Confirm: no active tokens remain
☐ D.3 MFA methods removed
Remove all authentication methods from the account
☐ D.4 VPN group membership removed
Remove from VPN-Suppliers group
☐ D.5 ACS card deactivated (on-site access suppliers)
Facilities Manager: deactivate card in ACS console
Card status: Inactive (not deleted)
If card not returned: mark as Lost + deactivated; do not reuse
☐ D.6 Zone 3 access list updated (if applicable)
Remove individual from Zone 3 access list in EV-D23
☐ D.7 Data custody (where applicable)
Confirm with commercial contact whether any work product
or our data in the supplier's possession needs to be
returned or confirmed destroyed
Timeline for supplier data destruction: within 30 days
Certificate of destruction to be received within 60 days
☐ D.8 EV-D04 leaver record completed
All three sections: CISO, IT Operations, commercial contact
Filed at: EV-D → Access Control → JML Log → Leavers
☐ D.9 Supplier register updated
Status: Access deactivated
Deactivation date recorded
Note any outstanding items (data destruction, certificate pending)
☐ D.10 Post-deactivation SIEM check (within 24 hours)
Verify no access events in SIEM for the deactivated account
after the deactivation timestamp
If events appear: investigate immediately — possible credential
sharing or account still active — escalate to CISO
CISO deactivation confirmation:
Name: _____________________________ Date: _______________________________
All steps confirmed: ☐ Yes
Outstanding items: _____________________________________________________
Section 8 — What suppliers need to know about their own responsibilities during the engagement
This section is written directly for supplier personnel. It summarises the ongoing responsibilities that apply throughout the engagement — not just at onboarding.
Your responsibilities throughout the engagement
Keep your named contact updated. If your organisation has any personnel changes that affect who has access to our systems or data — someone leaves, someone new is added, someone's role changes — notify our CISO at [ciso@organisation.com] the same day the change occurs. Do not wait until the next scheduled review. Unauthorised individuals accessing our systems because a change was not notified is a compliance issue that affects both of us.
Tell us about security incidents immediately. If anything goes wrong on your side that affects or might affect our data or systems, call the CISO directly on [CISO mobile number] — do not send an email and wait for a response. The 2-hour notification obligation for Critical-tier suppliers and the Category A 2-hour obligation for Standard-tier suppliers are serious. We cannot meet our own regulatory clocks if we do not hear from you quickly.
Complete the annual questionnaire by the deadline. You will receive the relevant questionnaire by email from [ciso@organisation.com] before [31 March] each year. Complete and return it by the deadline. A supplier who does not return the questionnaire will receive up to two reminders. After 30 days without response, access is reviewed and may be suspended.
Keep your device standards current. The device standards we require are not a one-time check at onboarding — they are ongoing. Your devices must remain patched, AV-active, and encrypted throughout the engagement. If we discover through an incident or review that your devices have fallen below our minimum standards, we may need to restrict your access while the issue is resolved.
Tell us when your certifications change. If your ISO 27001 certification lapses, your Cyber Essentials Plus certificate expires without renewal, or your SOC 2 report becomes more than 12 months old, notify us within 10 business days. We understand that certification renewals have timelines — early notification allows us to discuss interim arrangements rather than being forced to suspend access at short notice.
Emergency contacts
FOR ALL SECURITY INCIDENTS — call, do not email:
CISO (24/7 for Category A incidents):
Name: [CISO name]
Phone: [CISO mobile — 24/7]
Email: [ciso@organisation.com] (business hours; not for urgent incidents)
IT Operations (for access issues, technical problems):
Name: [IT Manager name]
Phone: [IT Manager direct line]
Email: [itops@organisation.com]
If both are unavailable in a genuine emergency:
[Escalation contact — name and number]
For non-urgent enquiries (questionnaire submission, onboarding questions,
general compliance questions):
CISO email: [ciso@organisation.com]
Response within 3 business days
Confluence page version and review
Evidence filing locations used by this page:
Supplier register: EV-C → Risk Management → Supplier Assessments
Onboarding checklists: EV-C → Risk Management → Supplier Assessments
→ [Supplier name] → Onboarding Checklist [YYYY-MM]
NDAs: EV-C → Risk Management → Supplier Assessments
→ [Supplier name] → NDA
JML provisioning: EV-D → Access Control → JML Log
Deactivation records: EV-D → Access Control → JML Log → Leavers
Induction records: EV-B → Policy and Training → Supplier Induction
Records → [Supplier name] → [YYYY]
Retention:
Onboarding checklists: 3 years from engagement end
NDAs: contract duration + 6 years
Supplier register entries: 3 years from engagement end
JML provisioning and deactivation records: 3 years
Induction records: 3 years
Review cycle: Annual — reviewed alongside Policy 09 (Supplier Security Policy)
Page owner: CISO (security obligations) + IT Manager (technical steps)
Questions: [ciso@organisation.com]
| Version | Date | Prepared by | Key changes |
|---|---|---|---|
| 1.0 | [DATE] | CISO | Initial publication |