Supplier Security Obligations
Confluence page header
Page title: Supplier Security Obligations
Parent: ISMS Home → 09 · Supplier Security Policy
SCM variant: isms-all-staff (read — for staff engaging with suppliers)
isms-management (read — for commercial and procurement decisions)
isms-security (full access — CISO maintains)
isms-it-staff (read — for IT staff provisioning supplier access)
Page owner: CISO
Last reviewed: [DATE]
Next review: Annual — aligned with Supplier Security Policy review
Related pages: 09 · Supplier Security Policy (parent)
EV-C → Risk Management → Supplier Assessments (evidence filing)
Supplier Governance and Business Continuity Oversight (management view)
Who this page is for and how to use it
This page is addressed to the suppliers, contractors, and third-party service providers who work with us. It is also the internal reference for procurement, commercial, IT Operations, and the CISO when establishing or reviewing a supplier relationship.
The page is structured in two main parts. Part 1 covers the standard-tier obligations that apply to every supplier relationship regardless of the type of access involved — these are the baseline security behaviours we require of all third parties. Part 2 is the annual self-assessment questionnaire that all active suppliers with system access or data handling responsibilities must complete each year.
The obligations on this page are incorporated into the Standard Supplier Security Schedule that is attached to all contracts. If there is a conflict between this page and the signed contract, the signed contract prevails. If your contract includes an enhanced security schedule (Tier 1 or Tier 2, covering CUI or OFFICIAL access), the enhanced obligations apply in addition to everything on this page, not instead of it.
Why we require these obligations
The organisation processes Controlled Unclassified Information (CUI) under contracts with the US Department of Defense, and OFFICIAL-classified information under UK Ministry of Defence contracts. Both the US DFARS §252.204-7012 regulation and the UK DEFSTAN 05-138 standard impose security obligations on us that extend through our supply chain. When a supplier has access to our systems or data — even indirectly — the security of that access affects our ability to meet our compliance obligations.
We are also certified to ISO 27001:2022. ISO 27001 Annex A controls 5.19 through 5.22 require documented supplier security obligations, contractual terms that address information security, and ongoing monitoring of supplier security performance. The annual self-assessment questionnaire is the primary mechanism by which we fulfil the ongoing monitoring requirement.
None of these obligations is imposed because we distrust our suppliers. They are imposed because our regulators and contracting authorities require us to impose them, and because a supplier security failure can trigger regulatory reporting obligations for us regardless of where in our supply chain the failure occurs.
Part 1 — Standard-tier security obligations
These obligations apply to all suppliers, contractors, and third parties who have any of the following: access to our premises; access to our IT systems or networks; access to our data (including personal data, commercial-in-confidence information, CUI, or OFFICIAL information); or who deliver services that form part of our compliance boundary.
If you are unsure whether your engagement falls within this scope, contact the CISO at [ciso@organisation.com].
Section 1.1 — Acceptable use of our systems and information
What this covers: How you may use the access, systems, credentials, and information we provide during our engagement.
1.1.1 — Scope of authorised use
Access to our systems, networks, data, and premises is granted for the specific purposes set out in your contract or engagement documentation. All access is limited to what is necessary to deliver your contracted services.
You must not:
- Use access granted for our engagement to access systems, data, or areas beyond the scope of your contracted services
- Use our systems for personal purposes, including accessing personal email, personal cloud storage, personal social media, or personal banking through our network or devices
- Use our systems or access to conduct any activity that would benefit a third party outside our contracted relationship, including competitor analysis, market research on our behalf of another client, or any activity that creates a conflict of interest
- Access, copy, or transmit any data beyond what is required to deliver your contracted services
- Use our credentials, access cards, or authentication tokens to access systems or areas on behalf of any other individual, including colleagues from your organisation who have not been individually authorised
- Connect your organisation's systems to ours in any way not specified in your contract or approved by our IT Operations team
- Attempt to access systems, data, or areas for which you have not been explicitly authorised, even if the technical barriers to that access are absent
1.1.2 — Device standards for system access
If you access our systems from your own devices (supplier-owned laptops, phones, or workstations), those devices must meet the following minimum standards. We may ask you to confirm these standards as part of the annual self-assessment questionnaire.
Your devices used to access our systems or data must:
- Run a currently supported operating system with all critical and high-severity security patches applied within 14 days of vendor release
- Have active antivirus or endpoint protection software with signatures updated within the past 24 hours
- Have full disk encryption enabled (BitLocker on Windows; FileVault on macOS; LUKS or equivalent on Linux)
- Have the device screen lock after no more than 15 minutes of inactivity, requiring a PIN or password to re-access
- Not be running an operating system that the vendor has declared end-of-support unless a formal exception has been agreed with our CISO in writing
If you access our systems through a browser-based interface only and no data is downloaded to your device, the disk encryption and screen lock requirements still apply. The risk of unauthorised access to a session or cached credentials on an unlocked device is the same regardless of the access mechanism.
We reserve the right to require that supplier devices accessing our CUI-scope or OFFICIAL-scope systems are enrolled in a mobile device management platform or inspected by our IT Operations team before access is granted. Where this requirement applies, it will be stated in your contract or engagement documentation.
1.1.3 — Credentials and authentication
Credentials (usernames, passwords, tokens, certificates) that we issue to you are personal to you. They must not be shared with any other individual, including other members of your organisation who have not been individually authorised.
You are responsible for the security of your credentials. Specifically:
- You must not store credentials in plain text files, shared documents, email, or any location accessible to other individuals
- You must not use the same password for our systems that you use for any other service (password reuse is the most common source of credential compromise)
- If we require multi-factor authentication for your access (which is the case for all cloud-based and remote access), you must enrol your own personal device in the MFA method we specify. You may not use a shared device for MFA
- You must notify us immediately if you believe your credentials have been compromised or if you suspect unauthorised use of your access
When your engagement ends, or when a specific individual's involvement in the engagement ends, you must notify us immediately so that the credentials can be deactivated. Do not wait for a formal offboarding process if an individual has already left your organisation or ceased their involvement in our engagement.
1.1.4 — Physical access and on-site behaviour
If your engagement involves physical access to our premises, you must:
- Sign in at reception and comply with our visitor and contractor sign-in procedure at every visit
- Wear your visitor or contractor badge visibly at all times while on our premises
- Be escorted by your named host when in controlled areas of our premises (Zone 2 and Zone 3 as defined in our physical security policy)
- Not attempt to access areas of our premises beyond those your host has taken you to, even if you observe that doors are unlocked or unguarded
- Not take photographs or record video inside our premises without explicit written permission from our CISO
- Comply with our clear desk expectation: do not leave papers, printouts, or devices containing our information unattended in shared or open areas of our premises
For contractors who conduct maintenance or engineering work in our secure areas (server room, network equipment room), additional supervision requirements apply as described in our physical security procedure. Your named host from our IT Operations team will explain these before you enter the secure area.
Section 1.2 — Data handling and protection
What this covers: How you must handle the information we provide to you or that you generate on our behalf.
1.2.1 — Data classification and marking
We operate an information classification scheme aligned with UK government classifications and CUI marking requirements. When we share information with you, it will be classified as one of the following:
Classification What it means for handling
─────────────────────────────────────────────────────────────────────────────
PUBLIC May be shared freely; no special handling required
INTERNAL For use within our organisation and authorised suppliers;
do not share externally without CISO approval
OFFICIAL Handled to HMG OFFICIAL standard; encrypted in transit;
stored on approved systems only; not shared without approval
OFFICIAL-SENSITIVE As OFFICIAL but with additional handling restrictions
specified per document; discuss with CISO if unsure
CUI Controlled Unclassified Information under US DoD regulation;
handled to NIST SP 800-171 standard; encrypted in transit
and at rest; access limited to individually named persons;
not shared without written approval from CISO
If you receive a document or data from us that is marked with a classification, you must handle it according to the requirements above for that classification level. If you are unsure of the classification of information you have received from us, treat it as OFFICIAL until you have confirmed with the CISO.
You must not re-classify information downward (for example, marking OFFICIAL information as INTERNAL to simplify distribution) without our written agreement.
1.2.2 — Encrypted transmission
Any information we classify as INTERNAL or above must be transmitted using encryption when sent electronically. This means:
- Email containing INTERNAL or above information must be sent via an encrypted connection (TLS-encrypted SMTP, not plain SMTP). Most modern email services handle this automatically. If you use an email service that does not support TLS, notify us before sending any classified information.
- File transfers must use encrypted protocols: SFTP, HTTPS, or a dedicated secure file transfer service. Plain FTP, plain HTTP, or unencrypted email attachments are not acceptable for any classified information.
- For OFFICIAL and CUI classified information: end-to-end encryption is required in addition to transport encryption. This means the information must be encrypted before it leaves your device, not just encrypted in transit by the email or file transfer service. Acceptable methods: encrypted archive (AES-256, 7-zip with a strong password); end-to-end encrypted email (S/MIME with our CA certificate, or PGP); our approved secure file transfer portal.
- Encryption keys and passwords used to protect classified information must be sent separately from the encrypted file — not in the same email or the same file transfer.
If you are unsure whether a transmission method meets these requirements, ask our CISO before sending.
1.2.3 — Storage of our data on your systems
If your engagement requires you to store our information on your own systems (servers, cloud storage, local drives), the following requirements apply:
- INTERNAL classified information: stored on systems with access controls limiting access to personnel who require it for the engagement. No special encryption requirement for at-rest storage, but physical and logical access controls must prevent unauthorised access.
- OFFICIAL and CUI classified information: stored on systems with full disk or volume encryption using AES-256 or equivalent. Access limited to individually named, authorised personnel. Cloud storage services used for OFFICIAL or CUI must be services where you, not the cloud provider, hold the encryption keys. We must approve the specific cloud service before you store OFFICIAL or CUI information on it.
- No OFFICIAL or CUI information may be stored on personal cloud storage services (personal Dropbox, personal Google Drive, personal iCloud, or equivalent) regardless of whether those services offer encryption. The risk is not the encryption — it is the lack of organisational control over the account and the data.
- No OFFICIAL or CUI information may be stored on removable media (USB drives, external hard drives, SD cards) unless specifically authorised in writing by our CISO for a specific purpose. Where authorised, the media must be encrypted.
1.2.4 — Retention and return of our data
At the end of your engagement, or at the end of a specific phase of work involving our information:
- Any copies of our INTERNAL, OFFICIAL, or CUI information in your possession must be either returned to us or securely destroyed within 30 days of engagement end
- Secure destruction means overwriting and physical destruction (for physical media) following NIST SP 800-88 methods, or cryptographic erasure followed by deletion for cloud storage
- You must provide us with written confirmation of destruction, specifying the information destroyed, the method used, and the date
- If your contract specifies that you must return rather than destroy copies, you must confirm return with a signed handover receipt
- Backup copies of our information that exist in your backup systems must also be purged within 90 days of engagement end, or at your next scheduled backup rotation if that occurs sooner
We retain the right to audit your data handling practices, including requesting evidence of secure destruction, for up to 12 months following engagement end.
1.2.5 — Personal data — UK GDPR obligations
If you process personal data on our behalf (employee data, customer contact data, or any other information that identifies or could identify a living individual), a Data Processing Agreement (DPA) under UK GDPR Article 28 must be in place before any personal data is shared with you. If no DPA is in place and your engagement involves personal data, contact the CISO immediately — this is a legal requirement, not a preference.
Under the DPA, you are required to:
- Process personal data only on our documented instructions
- Not transfer personal data outside the UK or EEA without our written consent and appropriate transfer safeguards
- Implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction
- Assist us in responding to data subject rights requests (access, erasure, portability) when the data is under your control
- Notify us of any personal data breach within 24 hours of your discovery of the breach — not 24 hours after investigation is complete, but 24 hours after you become aware that a breach may have occurred
The 24-hour notification requirement for personal data breaches is deliberately tighter than the 72-hour ICO reporting obligation. This is because we need your notification in time to assess the breach, determine whether it meets the ICO reporting threshold, and submit our notification to the ICO within our own 72-hour window.
Section 1.3 — Security incident reporting
What this covers: When and how you must tell us about security events that affect or may affect our information, systems, or services.
1.3.1 — What you must report and when
You must notify us of any security incident affecting your systems, services, or personnel that meets any of the following criteria:
Category A — Report within 2 hours (24 hours a day, 7 days a week): - Any confirmed or suspected breach, unauthorised access, or exfiltration of our information (any classification) - Ransomware or destructive malware affecting any system that holds or processes our information - Compromise of credentials used to access our systems - Any physical security event (theft, loss, break-in) affecting devices or media that contain our information - Any event that has or may have triggered our DFARS 72-hour reporting obligation or DEFSTAN 24-hour notification obligation
Why 2 hours: our DEFSTAN obligation requires us to notify the contracting authority within 24 hours of discovery. Our DFARS obligation requires notification within 72 hours. For us to meet these clocks, we need to know about the event as early as possible. A supplier who waits 12 hours before notifying us because they are still investigating creates a material risk that we miss our own regulatory deadline. Notify first, investigate simultaneously.
Category B — Report within 24 hours (business hours): - A security incident affecting your systems where our information was not directly affected but where your investigation is not yet complete and you cannot rule out an impact on our information - Loss or theft of any device or media that was used to access our systems, even if the device does not currently hold copies of our information - Discovery that a member of your staff with access to our systems has left your organisation without going through your standard offboarding process - Any vulnerability discovered in systems or software you use to deliver services to us that is classified as Critical or High severity
Category C — Report within 5 business days: - Security incidents that have been fully investigated and confirmed as having no impact on our information, but that involved your systems or services used in our engagement - Changes to your security posture that materially affect your ability to meet the obligations in this document (for example, loss of ISO 27001 certification, a significant reduction in your security team, or a decision to change cloud hosting provider) - Discovery that a sub-contractor you use in delivering our services has had a security incident
1.3.2 — How to report
Primary contact for all security incident reports:
CISO: [CISO name]
Email: [ciso@organisation.com]
Phone: [CISO direct line]
Out of hours: [CISO mobile — for Category A incidents only]
Secondary contact (if CISO is unavailable):
IT Manager: [IT Manager name]
Email: [itmanager@organisation.com]
Phone: [IT Manager direct line]
For Category A incidents: call the CISO directly. Do not rely on email for time-critical notifications — email may not be seen immediately. A call takes 2 minutes and ensures the notification clock is recorded accurately.
What to include in your notification:
When you contact us, please have the following information ready:
1. What happened: [brief description — you do not need to have the full picture;
tell us what you know now]
2. When it was discovered: [date and time — this is when our regulatory clock starts]
3. Systems or data affected: [which systems, and whether our information was
or may have been involved]
4. What you have done so far: [containment steps already taken, if any]
5. Your incident lead: [the named person at your organisation managing the incident
and how we can reach them for updates]
6. Next update: [when you expect to have more information to share with us]
You do not need to know the root cause, the full scope of impact, or the remediation plan before you notify us. Early notification with limited information is always preferable to a complete report that arrives too late for us to meet our own obligations.
1.3.3 — What happens after you notify us
On receiving your notification, the CISO will:
- Confirm receipt of the notification and provide you with an incident reference number
- Assess whether the event meets the threshold for our own regulatory notifications (DFARS, ICO, DEFSTAN)
- Advise you of any containment actions we are taking on our side (for example, suspending your access to our systems)
- Provide you with ongoing contact details for the duration of the incident
We may ask you to preserve evidence from your systems in a form that supports forensic investigation. If we make this request, please do not delete or overwrite the relevant logs and data until we confirm that evidence preservation is no longer required. Evidence preservation is a DFARS obligation and may be legally required.
We will not share the details of your incident with third parties unless we are legally required to do so as part of our own regulatory reporting.
1.3.4 — Your obligations if we notify you of an incident
If we discover a security incident involving our systems and believe your systems or data may also be affected, we will notify you. We ask that you:
- Confirm receipt and provide us with a named point of contact for the incident response
- Conduct a review of your own systems for indicators of compromise that we provide
- Report back to us within 24 hours on whether you have found any corresponding indicators in your environment
- Preserve relevant logs and evidence from your systems for a minimum of 30 days from the date of our notification
Section 1.4 — Personnel and screening
What this covers: Expectations about the people you deploy in connection with our engagement.
1.4.1 — Identity verification
All individuals from your organisation who will have access to our premises, systems, or classified information must be able to demonstrate their identity on request. For on-site visits, this means presenting a valid government-issued photo ID at reception on the first visit to each of our sites.
We will maintain a record of the individuals from your organisation who have been granted access. This record is reviewed quarterly as part of our access review process. You must notify us promptly when any individual on this list leaves your organisation or ceases to be involved in our engagement.
1.4.2 — Background screening expectations
For engagements involving access to CUI, OFFICIAL, or OFFICIAL-SENSITIVE information, we require that your personnel have completed background screening at the appropriate level before access is granted:
Access type Minimum screening required
─────────────────────────────────────────────────────────────────────────────────
General on-site access (Zone 1 only) None — sign-in procedure applies
Zone 2 access; INTERNAL classified Employer reference check + right to work
data handling verification (equivalent to basic BPSS
component 1 and 2)
CUI access; OFFICIAL classified access BPSS (Baseline Personnel Security Standard)
— all four components confirmed
OFFICIAL-SENSITIVE or above access SC clearance or as specified in the DEFSTAN
contract schedule for the relevant engagement
Where your country of operation does not have an equivalent to BPSS, we will agree an equivalent screening approach with you before access is granted. The screening must be completed before access is granted — not retrospectively.
You must confirm screening status for each individual in the annual self-assessment questionnaire. For engagements where SC clearance is required, you must notify us immediately if any individual's clearance status changes, including renewal, lapse, or revocation.
1.4.3 — Insider threat and security awareness
Personnel from your organisation who have access to our systems or classified information must receive security awareness training covering at minimum:
- The classification of information they will handle and the handling requirements for each level
- Your organisation's procedures for reporting security concerns and potential insider threat indicators
- How to recognise and report phishing and social engineering attempts
- Your organisation's obligations and their personal obligations in the event of a security incident
We may ask you to confirm training completion in the annual self-assessment questionnaire. If you operate a training programme that covers these topics, evidence of completion (such as LMS completion records) is sufficient. We do not require your personnel to complete our own training programme.
1.4.4 — Sub-contractors
You must not sub-contract any element of your services to us that involves access to our premises, systems, or classified information without our prior written approval.
If you wish to engage a sub-contractor in our engagement, notify the CISO with: - The sub-contractor's company name and a brief description of their role - The specific access the sub-contractor would require (systems, data, premises) - Confirmation that the sub-contractor is subject to equivalent security obligations in your own contract with them
We will assess the sub-contractor as part of our supplier risk management process and will either approve the engagement or discuss alternative approaches with you. In no case will a sub-contractor be granted access to our systems or classified information before we have confirmed written approval.
If your sub-contractor suffers a security incident that affects or may affect our information, your notification obligations in Section 1.3 apply regardless of whether the event was caused by you or your sub-contractor.
Section 1.5 — Certification and security standards
What this covers: The security certifications and standards we expect you to maintain.
1.5.1 — Minimum certification requirement
All suppliers with access to our systems or data are expected to maintain at least one of the following:
Tier 1 (preferred):
ISO 27001:2022 certification — current; certificate number available on request
SOC 2 Type II report — current (within 12 months)
CMMC Level 2 self-assessment — current SPRS score submitted; available on request
Tier 2 (acceptable for limited-access engagements):
Cyber Essentials certification — current; certificate verifiable at
ncsc.gov.uk/cyberessentials/search
Equivalent national standard agreed with CISO in writing
Tier 3 (for low-risk / transient access engagements only):
Completion of our annual self-assessment questionnaire with all standard-tier
requirements confirmed as met
Annual CISO review confirming Tier 3 remains appropriate for the engagement
If you do not currently hold any of the above certifications, this does not automatically disqualify you from working with us. We will discuss with you what compensating measures would be appropriate for your engagement. However, we cannot grant CUI or OFFICIAL access to any supplier without either a current Tier 1 or Tier 2 certification or specific written agreement from our CISO.
1.5.2 — Maintaining certification currency
You must notify us within 10 business days if:
- Your ISO 27001 certificate lapses or is suspended by the certification body
- Your Cyber Essentials certificate lapses
- Your SOC 2 Type II report is no longer current (more than 12 months old)
- Your CMMC self-assessment has not been submitted within the annual cycle
- Your organisation is subject to a regulatory enforcement action relating to information security or data protection
We will discuss with you what interim measures are needed if your certification lapses during an active engagement.
Part 2 — Annual supplier self-assessment questionnaire
This questionnaire must be completed annually by all suppliers who hold an active engagement with us that involves access to our systems, data, premises, or who are sub-contractors on our DEFSTAN or DoD contracts.
Completion deadline: [DATE — typically 31 March each year, or within 30 days of a new engagement commencing, whichever is sooner]
Return to: [ciso@organisation.com] with subject line: "Supplier Security Self-Assessment — [Your company name] — [YYYY]"
If any question is not applicable to your engagement, answer "N/A" and explain briefly why it does not apply. Do not leave questions blank.
Questionnaire header
SUPPLIER SECURITY SELF-ASSESSMENT — [YYYY]
Submitted by: [Supplier company name]
Submission date: [DATE]
Engagement description: [Brief description — e.g. "Managed IT services —
server and network management"]
Named contact for this questionnaire:
Name: [Full name]
Role: [Job title]
Email: [Email address]
Phone: [Direct number]
Declaration:
I confirm that the information provided in this questionnaire is accurate
to the best of my knowledge and belief as of the submission date. I
understand that providing materially inaccurate information may result in
termination of our engagement.
Signature: ___________________________
Date: [DATE]
Section A — Organisation and engagement overview
A1. Company details
A1.1 Legal company name: ________________________________________________
A1.2 Company registration number: _______________________________________
A1.3 Registered address: ________________________________________________
A1.4 Primary trading address (if different): _____________________________
A1.5 Countries in which services to us are delivered: ____________________
A1.6 Number of employees globally: ______________________________________
A1.7 Number of employees involved in our engagement: _____________________
A2. Nature of access
A2.1 Does your engagement involve remote access to our IT systems?
☐ Yes ☐ No
If Yes, describe the systems accessed and how access is obtained:
___________________________________________________________________
A2.2 Does your engagement involve on-site access to our premises?
☐ Yes ☐ No
If Yes, which areas of our premises do your personnel access?
___________________________________________________________________
A2.3 Does your engagement involve handling our data?
☐ Yes ☐ No
If Yes, describe what data you handle and how:
___________________________________________________________________
A2.4 What is the highest classification of information you handle for us?
☐ None / Public
☐ Internal
☐ Official
☐ Official-Sensitive
☐ CUI (Controlled Unclassified Information — US DoD)
A2.5 Do you engage sub-contractors to deliver any part of the services
you provide to us?
☐ Yes ☐ No
If Yes, have these sub-contractors been approved by our CISO?
☐ Yes — approval date: ____________ ☐ No — contact CISO before continuing
A3. Named individuals with access
Provide a current list of all individuals from your organisation who have
access to our systems, data, or premises. (If more than 10 individuals,
attach a separate spreadsheet.)
Name | Role | Systems/Data/Premises accessed | Screening level | Last verified
─────────────────────────────────────────────────────────────────────────────
[Name] | [Role] | [describe] | [BPSS/SC/None] | [DATE]
[continue]
Section B — Information security management
B1. Security management system
B1.1 Does your organisation hold a current ISO 27001 certification?
☐ Yes ☐ No
If Yes:
Certificate number: ______________________________________________
Certification body: ______________________________________________
Certificate valid until: ________________________________________
Scope of certification: _________________________________________
Does the scope cover the systems and services used to deliver
our engagement? ☐ Yes ☐ No — if No, explain: __________________
B1.2 Does your organisation hold a current Cyber Essentials certification?
☐ Yes ☐ No
If Yes:
Certificate number: ______________________________________________
Valid until: ____________________________________________________
Does the scope cover the systems used for our engagement?
☐ Yes ☐ No — if No, explain: ___________________________________
B1.3 Does your organisation hold a current SOC 2 Type II report?
☐ Yes ☐ No
If Yes: Report date: _____________ Period covered: ________________
Service categories covered: _______________________________________
B1.4 Does your organisation have a documented information security policy
that has been approved by senior management within the past 12 months?
☐ Yes ☐ No
B1.5 Does your organisation conduct formal security risk assessments at
least annually?
☐ Yes ☐ No
B1.6 Does your organisation have a named individual (CISO, Head of Security,
or equivalent) responsible for information security?
☐ Yes ☐ No
If Yes, name and role: ___________________________________________
B2. Security awareness and training
B2.1 Do all personnel with access to our systems or data complete annual
security awareness training?
☐ Yes ☐ No ☐ N/A — no personnel have access to our systems or data
B2.2 Does your security awareness training cover:
☐ Password security and credential management
☐ Phishing and social engineering recognition and reporting
☐ Data classification and handling
☐ Incident reporting obligations
☐ Clear desk and clean screen
☐ Physical security and visitor handling
B2.3 What is your current security awareness training completion rate
for the personnel who have access to our systems or data?
☐ 100% ☐ 95–99% ☐ 90–94% ☐ Below 90% — describe remediation: _______
Section C — Access control and identity management
C1. Account management
C1.1 Are all individuals who access our systems using individual named
accounts (no shared accounts)?
☐ Yes ☐ No — explain: ___________________________________________
C1.2 When a member of your staff leaves your organisation or ceases to
be involved in our engagement, how quickly is their access to our
systems deactivated?
☐ Same day ☐ Within 2 days ☐ Within 5 days ☐ Other: __________
C1.3 Do you have a formal off-boarding process that includes revoking
access to client systems?
☐ Yes ☐ No
C1.4 How often do you review which of your personnel have access to
our systems?
☐ Monthly ☐ Quarterly ☐ Annually ☐ Less than annually / Never
C2. Authentication
C2.1 Is multi-factor authentication (MFA) enabled for all accounts
used to access our systems?
☐ Yes ☐ No — explain: ___________________________________________
C2.2 Do the accounts used to access our systems use passwords that meet
the following minimum standards:
At least 12 characters? ☐ Yes ☐ No
Not a previously used password (minimum 12 in history)? ☐ Yes ☐ No
Not a dictionary word or common pattern? ☐ Yes ☐ No
Changed if there is any reason to suspect compromise? ☐ Yes ☐ No
C2.3 Do your privileged/administrative accounts (if any) use a separate
account from standard user accounts?
☐ Yes ☐ No ☐ N/A — no privileged access to our systems
C3. Personnel screening
C3.1 For each individual named in Section A3, confirm their screening level:
(This confirms the information in the named individuals table above)
C3.2 Have any individuals with access to our CUI or OFFICIAL information
had their screening lapse or been subject to a change in clearance
status since your last self-assessment?
☐ Yes — describe: _______________________________________________
☐ No
Section D — Device and endpoint security
D1. Device standards
D1.1 Are all devices used by your personnel to access our systems or data
running a currently supported operating system with vendor security
support active?
☐ Yes ☐ No — describe which systems are affected and your plan: _____
D1.2 Are all devices used to access our systems running active antivirus
or endpoint protection software?
☐ Yes ☐ No — explain: ___________________________________________
D1.3 Are antivirus signature definitions updated at least daily on all
devices used to access our systems?
☐ Yes ☐ No ☐ Unsure
D1.4 Is full disk encryption enabled on all devices used to access our
systems or to store our data?
☐ Yes — encryption method: _______________________________________
☐ No — explain: ________________________________________________
D1.5 Are all devices enrolled in a mobile device management (MDM) or
endpoint management platform that enforces security policies?
☐ Yes — platform: _______________________________________________
☐ No
D2. Patch management
D2.1 What is your process for applying security patches to devices used
to access our systems?
☐ Automatic updates enabled — patches applied within [N] days of release
☐ Managed patching — patches applied within [N] days of release
☐ Ad hoc — no defined schedule
☐ Other: ________________________________________________________
D2.2 Are all critical and high severity patches applied to devices used
to access our systems within 14 days of vendor release?
☐ Yes ☐ No — describe your actual patching cadence: _______________
D2.3 Are there any systems used to access our data that are running
software for which the vendor has ended security support?
☐ Yes — describe: ______________________________________________
☐ No
Section E — Network and boundary security
E1. Network controls
E1.1 Is access to our systems from your organisation restricted to
specific, authorised network locations or VPN connections?
☐ Yes ☐ No — access is possible from any internet location
E1.2 Do you use a firewall or equivalent boundary control on your
corporate network?
☐ Yes ☐ No ☐ N/A — no corporate network; remote workers only
E1.3 Is your corporate Wi-Fi network separated from any guest or
personal device networks?
☐ Yes ☐ No ☐ N/A — no office Wi-Fi
E1.4 When your personnel work remotely and access our systems, do they
connect via a VPN?
☐ Yes — all remote access via VPN
☐ Yes — some remote access via VPN (describe exceptions): _________
☐ No — remote access without VPN
E2. Cloud services
E2.1 Do you use any cloud services to store or process our data?
☐ Yes ☐ No
If Yes, list the services and the data stored/processed:
Cloud service | Data stored/processed | Location | Your encryption control?
─────────────────────────────────────────────────────────────────────────
[Service] | [describe] | [country] | ☐ Yes ☐ No
[continue]
E2.2 For any cloud services storing our OFFICIAL or CUI data, do you
control the encryption keys (client-side encryption) rather than
relying on the cloud provider's encryption?
☐ Yes ☐ No ☐ N/A — no OFFICIAL or CUI data in cloud services
Section F — Incident response and business continuity
F1. Incident response capability
F1.1 Does your organisation have a documented security incident response
plan or procedure?
☐ Yes — last reviewed: __________________________________________
☐ No
F1.2 Do you have a 24/7 contact point for reporting security incidents
to your organisation?
☐ Yes — contact details: ________________________________________
☐ No
F1.3 Has your organisation experienced any security incidents in the past
12 months that affected or may have affected our information, systems,
or services?
☐ Yes — describe each (use additional sheet if needed):
Date: ________ Description: ___________________________________
Our data affected? ☐ Yes ☐ No ☐ Unknown
Notified to us? ☐ Yes — date: _______ ☐ No — explain: ________
☐ No
F1.4 Have you notified us of all security incidents meeting the criteria
in Section 1.3 of this document during the past 12 months?
☐ Yes ☐ No — explain any incidents not notified and why: _________
F1.5 What is your mean time from discovering a security incident to
notifying affected clients?
☐ Under 2 hours ☐ 2–12 hours ☐ 12–24 hours ☐ Over 24 hours
☐ No defined target
F2. Business continuity
F2.1 Does your organisation have a business continuity plan covering
the services you provide to us?
☐ Yes — last tested: ___________________________________________
☐ No
F2.2 What is your recovery time objective (RTO) for the services you
deliver to us?
RTO: ____________ hours
This RTO is: ☐ Documented ☐ Estimated ☐ Not defined
F2.3 Have there been any service disruptions affecting the services you
deliver to us in the past 12 months?
☐ Yes — describe, including duration and impact:
_______________________________________________________________
☐ No
Section G — Data handling and sub-contractors
G1. Data handling practices
G1.1 Confirm that you have read and understood the data handling obligations
in Section 1.2 of this document:
☐ Confirmed
G1.2 Are there any elements of Section 1.2 that you are currently unable
to comply with?
☐ Yes — describe: ______________________________________________
☐ No
G1.3 When our engagement ends, describe how you will securely destroy or
return our data:
___________________________________________________________________
G1.4 If your engagement involves personal data: is a Data Processing
Agreement in place with us?
☐ Yes — DPA date: ____________________________________________
☐ No — contact CISO immediately if personal data is processed
☐ N/A — engagement does not involve personal data
G2. Sub-contractors
G2.1 Do you use sub-contractors to deliver any part of the services
you provide to us?
☐ Yes ☐ No
If Yes, complete the following for each sub-contractor with access to
our data, systems, or premises:
Sub-contractor name | Services they provide | Access type | CISO-approved?
───────────────────────────────────────────────────────────────────────────
[Name] | [describe] | [describe] | ☐ Yes ☐ No
[continue]
G2.2 Do your contracts with the above sub-contractors include security
obligations equivalent to those in this document?
☐ Yes ☐ No — describe the gap: _________________________________
☐ N/A — no sub-contractors
Section H — Compliance and certification status
H1. Current certification status
Complete the following table for certifications relevant to your
engagement. If a certification is not held, enter "Not held."
Certification | Certificate / Report ref | Valid until | Scope covers our engagement?
──────────────────────────────────────────────────────────────────────────────────────────────
ISO 27001 | [ref or "Not held"] | [DATE] | ☐ Yes ☐ No ☐ N/A
Cyber Essentials | [ref or "Not held"] | [DATE] | ☐ Yes ☐ No ☐ N/A
Cyber Essentials Plus | [ref or "Not held"] | [DATE] | ☐ Yes ☐ No ☐ N/A
SOC 2 Type II | [ref or "Not held"] | [DATE] | ☐ Yes ☐ No ☐ N/A
CMMC Level (if any) | [level or "N/A"] | [DATE] | ☐ Yes ☐ No ☐ N/A
Other (specify): | [ref or "Not held"] | [DATE] | ☐ Yes ☐ No ☐ N/A
H2. Changes since last assessment
H2.1 Has your ISO 27001, Cyber Essentials, or SOC 2 certification lapsed,
been suspended, or had its scope materially reduced since your last
self-assessment?
☐ Yes — describe and explain what interim controls are in place:
_______________________________________________________________
☐ No ☐ N/A — first assessment
H2.2 Has your organisation been subject to any regulatory enforcement
action, fine, or formal investigation related to information security
or data protection in the past 12 months?
☐ Yes — describe: _____________________________________________
☐ No
H2.3 Has your organisation's information security posture materially
changed since your last self-assessment? This includes significant
changes to technology, personnel, structure, or practices.
☐ Yes — describe: _____________________________________________
☐ No ☐ N/A — first assessment
H3. Open issues and exceptions
H3.1 Are there any requirements in Sections 1.1 through 1.5 of this
document that you are currently unable to meet?
☐ Yes — describe each requirement and your current gap:
Requirement | Gap description | Planned resolution | Target date
───────────────────────────────────────────────────────────────────────────
[Section ref] | [describe] | [describe] | [DATE]
[continue]
☐ No — all standard-tier requirements are currently met
H3.2 Are there any security concerns about our engagement or our
information that you would like to raise with our CISO?
☐ Yes — describe: ____________________________________________
☐ No
Section I — Declaration and submission
I confirm on behalf of [company name] that:
1. The information provided in this questionnaire is accurate and complete
to the best of my knowledge and belief as of the date of submission.
2. I am authorised by [company name] to make this declaration.
3. I understand that providing materially false or misleading information
in this questionnaire may constitute a breach of our contract.
4. I agree to notify [CISO name] at [ciso@organisation.com] within 10
business days if any material change occurs to the information provided
in this questionnaire before the next annual submission.
5. I have read and understood the supplier security obligations in
Sections 1.1 through 1.5 of the Supplier Security Obligations page
and confirm that [company name] is currently meeting those obligations,
subject to any exceptions disclosed in Section H3.1.
Name: ___________________________
Job title: ___________________________
Company: ___________________________
Date: ___________________________
Signature: ___________________________
Return to: [ciso@organisation.com]
Subject: Supplier Security Self-Assessment — [Company name] — [YYYY]
Deadline: [DATE]
Evidence filing and CISO assessment process
This section is for IT Operations and the CISO. It describes what happens after a questionnaire is received.
What the CISO does with each completed questionnaire
STEP 1 — Receipt and acknowledgement (within 3 business days):
CISO acknowledges receipt to the supplier contact
Assigns a supplier assessment reference: SA-[YYYY]-[NNN]
Opens or updates the supplier record in EV-C → Supplier Assessments → [Supplier name]
STEP 2 — Review (within 10 business days of receipt):
CISO reviews each section against the minimum requirements
Automatic amber flags (require further discussion with supplier):
Section C: any "No" to individual named accounts or MFA
Section D: any critical patch SLA >14 days; any unsupported OS
Section F1.3: any incident in past 12 months affecting our data
Section H1: any certification lapsed or scope not covering our engagement
Section H3.1: any open exception to standard-tier requirements
Automatic red flags (require management decision):
Section F1.3: incident affecting our data not previously notified to us
Section G2.1: sub-contractor confirmed with CISO-approved = No
Section H2.2: regulatory enforcement action in past 12 months
Any "No" to basic encryption, screening, or incident reporting requirements
STEP 3 — Risk rating update:
CISO updates the supplier record in EV-C with the new risk rating
(Green / Amber / Red) based on the questionnaire review
Updates the critical supplier register in the Supplier Governance page
STEP 4 — Follow-up (where required):
For each amber or red flag: CISO contacts the supplier to discuss the gap
Documents the supplier's response and any agreed remediation timeline
Amber flags with agreed remediation and a target date within 90 days:
retain Amber; add note in supplier record; review at next cycle
Amber flags with no agreed remediation or target > 90 days:
escalate to Red; notify management as per Supplier Governance page
Red flags: management notification within 24 hours; see Supplier Governance
→ Section 2 for management decision authority reference
STEP 5 — Filing:
Completed questionnaire (PDF or completed Confluence child page):
EV-C → Risk Management → Supplier Assessments → [Supplier name] → [YYYY]
Assessment summary (CISO's written assessment, 1 page):
same location
Risk rating confirmed in supplier register (Supplier Governance page):
updated within 5 business days of completing the assessment
Retention: 3 years per annual cycle
Non-response management
STEP 1 — Initial chase (4 weeks before deadline):
Automated reminder sent to supplier contact on file
CC: to our commercial or procurement contact for that supplier
STEP 2 — Second chase (2 weeks before deadline):
CISO sends personal email to supplier contact
If no response: CISO notifies the commercial or procurement contact
for escalation through the supplier relationship
STEP 3 — Deadline passed with no response:
CISO notifies management (isms-management)
Supplier moved to Amber status pending receipt of questionnaire
CISO contacts the commercial/procurement contact to formally advise that
the supplier relationship is at risk if the questionnaire is not received
STEP 4 — 30 days post-deadline with no response:
CISO proposes to management: suspend supplier access until questionnaire
is received, or accept the risk with documented rationale
Management decision required (see Supplier Governance → Section 5)
Non-responses are tracked in the supplier register:
Date chased | Method | Response | Outcome
Log this at: EV-C → Risk Management → Supplier Assessments → [Supplier name]
Confluence page version and review
Document history:
v1.0 [DATE] Initial publication — CISO
v1.1 [DATE] [describe any changes — e.g. "Added CUI marking requirements
in Section 1.2.1 following new DoD contract award"]
Annual review: This page is reviewed annually alongside Policy 09 (Supplier
Security Policy). The questionnaire content is reviewed against any changes
to our compliance obligations (new DFARS clauses, DEFSTAN updates, ISO 27001
revision) before each annual questionnaire cycle launches.
Page owner: CISO
Questions: [ciso@organisation.com]