Skip to content

Supplier Assurance and Evidence Submission

Confluence page header

Page title:    Supplier Assurance and Evidence Submission
Parent:        ISMS Home → 09 · Supplier Security Policy
SCM variant:   isms-all-staff (read — for procurement and commercial staff
               who coordinate the assurance cycle with suppliers)
               isms-management (read)
               isms-security (full access — CISO maintains)
               isms-it-staff (read)
Page owner:    CISO
Last reviewed: [DATE]
Next review:   Annual — before the annual assurance cycle launches (typically
               December, ahead of the [31 March] submission deadline)
Related pages: Supplier Security Obligations (standard-tier)
               Critical Supplier Security Obligations (critical-tier)
               Supplier Onboarding
               Supplier Governance and Business Continuity Oversight (management view)
               EV-C → Risk Management → Supplier Assessments (evidence filing)

Purpose of this page

This page is the operational guide to our annual supplier assurance cycle. It addresses three audiences:

Critical-tier suppliers who need to know what evidence they must provide, by when, in what format, and what happens after they submit. The assurance cycle is an annual obligation — not optional, and not reducible to a questionnaire submission alone. Section 2 through Section 6 cover everything a supplier needs to complete the cycle.

Internal staff — commercial, procurement, and the CISO — who coordinate the cycle, receive and process submissions, and manage the assurance review meetings. Section 7 and Section 8 cover the CISO's internal workflow.

Management who need to understand why the cycle exists and what they may be asked to approve or discuss as a result of it. The Supplier Governance and Business Continuity Oversight page provides the management view; this page provides the operational detail.

Section 1 — The annual assurance cycle: what it is and why it exists

Why a questionnaire alone is not sufficient

The annual self-assessment questionnaire (covered in Part 3 of the Critical Supplier Security Obligations page) is a declaration. It tells us what a supplier believes to be true about their security posture. A declaration is valuable — it creates a legal record and engages the signatory's personal accountability — but it cannot by itself give us the assurance our compliance frameworks require.

ISO 27001 Annex A 5.22 (Monitoring and review of supplier services) requires that we regularly monitor, review, and audit our supplier service delivery agreements. "Monitor" implies ongoing visibility — not an annual questionnaire. "Review" implies that changes to services, security postures, or risk ratings are assessed. "Audit" implies some form of verification beyond self-declaration.

DFARS §252.204-7012 and NIST SP 800-171 expect that organisations handling CUI have verified — not merely been told — that the security requirements are being met in their supply chain. A DoD contracting officer or a C3PAO assessor who reviews our supply chain security programme will assess whether we have done more than ask our suppliers to sign a questionnaire.

DEFSTAN 05-138 Profile 2 §Supplier Security explicitly requires that sub-contractors with OFFICIAL data access are assessed against the applicable profile. Assessment means more than declaration — it requires some form of evidence review or verification.

The annual assurance cycle responds to these requirements by combining three activities:

  1. Evidence submission — documented proof of certifications and controls (this page)
  2. Self-assessment questionnaire — declaration of posture (Critical Supplier Security Obligations page, Part 3)
  3. Assurance review meeting — structured conversation with the supplier's CISO or equivalent

All three components are required for Critical-tier suppliers. The standard-tier obligation is the questionnaire alone.

The annual cycle calendar

ANNUAL SUPPLIER ASSURANCE CYCLE — CALENDAR

DECEMBER (year prior):
  CISO updates the assurance package (this page) with any changes
  from the prior year's experience
  CISO sends advance notice to all Critical-tier suppliers:
  "Your annual assurance submission is due by [31 March]. The
  evidence requirements and questionnaire are at [this page link]."

JANUARY — FEBRUARY:
  Suppliers compile their evidence packages
  Suppliers complete their self-assessment questionnaire
  CISO available for questions: [ciso@organisation.com]

  Suppliers should contact the CISO in January if any of the following apply:
  • Their ISO 27001 certificate is due for renewal — timing may affect
    which certificate version they submit
  • Their CE Plus assessment is overdue — begin the process now
  • Their CMMC self-assessment has not yet been completed — begin it now
  • They have open POA&M items that materially affect their score —
    the CISO should know before submission

31 MARCH — SUBMISSION DEADLINE:
  All evidence packages and questionnaires submitted to:
  [ciso@organisation.com]
  Subject: SUPPLIER ASSURANCE — [Company name] — [YYYY]

APRIL — MAY:
  CISO reviews all submissions (10 business days per submission)
  CISO contacts suppliers with issues, gaps, or blocking findings
  Assurance review meetings scheduled

MAY — JUNE:
  Assurance review meetings conducted (30-45 minutes per supplier)
  Risk ratings updated in the critical supplier register
  Management notified of any Red-rated suppliers

JUNE — ONWARDS:
  Ongoing: CISO monitors for certificate expiry, incidents, and changes
  that require out-of-cycle reassessment
  Next cycle preparation begins in December

Section 2 — Evidence requirements for Critical-tier suppliers

This section specifies what you must submit to us annually. Read it alongside the Critical Supplier Security Obligations page, which specifies the obligations you must meet. This page specifies how to demonstrate that you are meeting them.

The evidence requirements are categorised by topic. Not all categories apply to every supplier. Where a category is marked "if applicable," your contract or engagement letter will confirm whether it applies to your engagement. If you are unsure, ask the CISO before the submission deadline.

2.1 — Mandatory evidence for all Critical-tier suppliers

These items are required from every Critical-tier supplier regardless of the type of access or data involved. There are no exceptions to this category.

M1 — Current certification evidence

What to provide: A copy of your current principal security certification — either ISO 27001, Cyber Essentials Plus, SOC 2 Type II, or CMMC Level 2 certificate as applicable.

The certification you provide must: - Be issued by an accredited body (see Section 3 for specific requirements per certification type) - Be current — not expired on the date of your submission - Have a scope that covers the systems and personnel used in our engagement - Be independently verifiable — we will check the certificate number against the issuing body's register

If your certification scope does not cover the systems used in our engagement, you must explain this in your submission and describe what compensating evidence you are providing for the out-of-scope systems.

Format: PDF of the certificate. For SOC 2, provide a management summary or the full report — confirm with the CISO which format is preferred for your specific engagement.

Verification: We independently verify all certifications. Do not submit an expired certificate expecting we will not notice. If a certificate has lapsed and renewal is in progress, contact the CISO before the submission deadline to agree interim arrangements.

M2 — Named individuals with access — current register

What to provide: A current list of all individuals from your organisation who have access to our systems, data, or premises, in the format below.

NAMED INDIVIDUALS WITH ACCESS — SUBMISSION FORMAT

For each individual:
  Full name:                     [First and last name]
  Job title / role:              [Current role at your organisation]
  Email:                         [Work email]
  Phone:                         [Direct number]
  Systems / data accessed:       [Specific systems or data categories]
  Access type:                   [Remote / On-site Zone 2 / Zone 3 / Data handling only]
  Screening level:               [None / Employer reference / BPSS / SC / DV]
  Screening confirmed date:      [Date screening was last confirmed — YYYY-MM-DD]
  How screening is evidenced:    [Internal HR record / Third-party provider / Clearance
                                  certificate — specify]
  Account active since:          [Date their account with us was created — YYYY-MM-DD]
  Last access (if known):        [Approximate date of last access to our systems]
  Sub-contractor:                [Yes — company name / No]

We cross-reference this list against our own access logs. Discrepancies — individuals not on your list who have accessed our systems, or individuals on your list who have not accessed our systems in more than 12 months — will be raised at the assurance review meeting.

Format: Excel spreadsheet or equivalent table. Do not send as a PDF — we need to process the data.

M3 — Annual self-assessment questionnaire

What to provide: The completed Critical Supplier Annual Assurance Questionnaire from the Critical Supplier Security Obligations page (Part 3 of that page).

The questionnaire must be: - Completed in full — every section, every question. "N/A" with a brief explanation is acceptable where genuinely not applicable. Blank questions are not. - Signed by your CISO or equivalent (a Director, VP, or named Head of Security). The questionnaire may not be signed by a junior security analyst, an account manager, or an IT engineer — it must be a person with authority and accountability for your organisation's security posture. - Accurate as of the submission date, not as of a previous assessment date.

The questionnaire is not the assurance — it is the declaration that supports the assurance. We will verify the answers against the other evidence you submit and against our own records.

M4 — Incident history for the past 12 months

What to provide: A summary of all security incidents at your organisation in the past 12 months that: - Affected or may have affected our data, systems, or access credentials - Were reportable to us under the notification timelines in the Supplier Incident Reporting page - Were reported to us during the year

If you had no reportable incidents in the past 12 months, a brief written statement to that effect, signed by your CISO, satisfies this requirement.

If you had incidents that were reportable but not reported at the time, disclose them now. Voluntary disclosure at the annual assurance cycle is treated materially differently from incidents we discover ourselves. Voluntary disclosure demonstrates security culture; deliberate concealment is a contractual breach.

Format: Written summary — one paragraph per incident, or signed statement of nil incidents.

M5 — Sub-contractor register

What to provide: A list of all sub-contractors used in delivering your engagement with us who have any access to our data, systems, or premises.

SUB-CONTRACTOR REGISTER — SUBMISSION FORMAT

For each sub-contractor:
  Company name:                  [Legal name]
  Role in our engagement:        [Brief description]
  Access to our data:            [Yes — specify categories / No]
  Access to our systems:         [Yes — specify which / No]
  Access to our premises:        [Yes — specify zones / No]
  Their security certification:  [ISO 27001 cert no / CE+ cert no / None]
  CISO approval received:        [Yes — date / No — explain]
  Data processing agreement:     [In place — date / Not required — reason]
  Security obligations flowed:   [Yes — describe mechanism / No — explain]

A sub-contractor without CISO approval must be flagged immediately — access should have been approved before it was granted. The CISO will confirm whether retrospective approval is possible or whether the access must be suspended.

2.2 — Conditional evidence — required where applicable

These items are required only where the relevant category applies to your engagement.

C1 — CMMC evidence (if your engagement involves CUI from DoD contracts)

What to provide:

CMMC EVIDENCE PACKAGE

Item C1.1 — SPRS score confirmation:
  Your current SPRS score (the number submitted to the SPRS database)
  The date the score was submitted
  The name and role of the senior official who signed the affirmation
  The date the affirmation was signed

  [If your SPRS score has changed since your last submission: provide
  the prior score and explain what changed. A score reduction is not
  a disqualifying event — unexplained score changes are.]

Item C1.2 — Self-assessment summary:
  The date your most recent NIST SP 800-171 self-assessment was conducted
  Brief description of the methodology (one paragraph)
  Confirmation that all three assessment methods were applied:
    Examine (documentation review): ☐ Confirmed
    Interview (personnel questioning): ☐ Confirmed
    Test (technical verification): ☐ Confirmed

Item C1.3 — POA&M summary (if SPRS score is below 110):
  For each open POA&M item:
    Control reference (e.g. 3.14.7)
    Plain English description of the gap
    Current compensating control in place
    Target remediation date
    Owner
  [If all 110 controls are implemented: written statement to that effect]

Item C1.4 — Sub-contractor CUI flow (if you further sub-contract CUI handling):
  Which sub-contractors handle our CUI?
  What CMMC obligations have you flowed to them?
  Their SPRS scores (if you have them)?

C2 — DEFSTAN evidence (if your engagement involves OFFICIAL or OFFICIAL-SENSITIVE data)

What to provide:

The specific evidence required depends on the DEFSTAN profile applicable to your engagement. Your contract schedule specifies the profile. If the profile is not stated, contact the CISO.

DEFSTAN EVIDENCE PACKAGE

Profile 0 evidence (required for all DEFSTAN-scoped suppliers):
  □ Screenshot or export showing current patch levels on systems used
    for OFFICIAL work (within the past 90 days)
  □ AV coverage confirmation for OFFICIAL-scope systems
  □ Named user list confirming no shared accounts for OFFICIAL access
  □ Confirmation that no default credentials are in use on systems
    used for OFFICIAL work

Profile 1 additional evidence:
  □ Current information security policy (approved within past 12 months)
    — a page and signature is sufficient; we do not need the full document
    unless we request it
  □ BPSS screening records summary for all individuals with OFFICIAL access:
    For each individual: name, BPSS completion date, screened by (internal
    HR or named third-party provider). We do not need the underlying
    screening documents — a summary table with the CISO's confirmation
    that underlying records exist is sufficient.
  □ Evidence that your incident management procedure exists:
    Document title, version number, date last reviewed. We will request
    a copy at the assurance review meeting if needed.
  □ List of changes to OFFICIAL-scope systems in the past 12 months:
    Confirms your change management process is operating. One line per
    change: date, system, change description, approved by.

Profile 2 additional evidence:
  □ Most recent vulnerability scan results for OFFICIAL-scope systems:
    Executive summary of findings — raw output not required but must be
    available at the assurance review meeting
  □ Patch tracking summary: SLA compliance rate for Critical and High
    vulnerabilities (calculated from vendor release date — not detection date)
  □ Most recent penetration test report executive summary
  □ Evidence that security monitoring is active: name of SIEM or
    equivalent platform; confirmation that logs are reviewed at least
    monthly; date of most recent review

C3 — Personal data processing evidence (if you process personal data on our behalf)

What to provide:

PERSONAL DATA PROCESSING EVIDENCE

Item C3.1 — DPA status:
  Confirmation that a current Data Processing Agreement is in place:
    DPA date signed: [YYYY-MM-DD]
    DPA covers: [brief description of processing activities covered]
  [If no DPA is in place: contact CISO immediately — processing must
  cease until a DPA is executed]

Item C3.2 — Sub-processor register:
  All sub-processors used in processing our personal data:
    Sub-processor name, country of operation, processing activity,
    transfer mechanism (if outside UK/EEA), DPA-equivalent in place (Yes/No)

Item C3.3 — Data retention confirmation:
  Confirmation of how long our personal data is retained:
    Retention period: [duration]
    Basis for retention period: [DPA requirement / legal obligation / specify]
    Data destroyed or returned at contract end: ☐ Confirmed

Item C3.4 — Data subject rights capability:
  Confirmation that you can respond to data subject rights requests
  and that you have a process for forwarding to us any requests received
  from individuals claiming to be our data subjects:
    ☐ Confirmed — process in place
    ☐ Not yet in place — describe gap and plan: ___________________

C4 — Physical access evidence (if your engagement involves on-site access to Zone 2 or Zone 3)

What to provide:

PHYSICAL ACCESS EVIDENCE

Item C4.1 — Site visit register for the past 12 months:
  List of all visits made to our premises by your personnel:
    Date, individual name(s), purpose, zones accessed
  [Our Facilities Manager records are the primary source — your record
  should be consistent with ours. Discrepancies will be discussed at
  the assurance review.]

Item C4.2 — Supervised access confirmation:
  For any Zone 3 (server room / secure area) access:
    Confirm each visit was supervised by our IT Operations engineer
    Note: any Zone 3 visit without our IT Operations escort is a
    DEFSTAN Profile 1 finding regardless of other controls

Item C4.3 — Device standards for on-site devices:
  For any device brought on-site and connected to our network:
    Device type, OS version, AV status, FDE status
    Devices that do not meet our baseline (FC-02) were they connected?
    If Yes: this is a finding — describe the situation

2.3 — Evidence that is not required but strengthens your submission

The following items are not mandatory but will be reviewed positively if included. They reduce the time needed at the assurance review meeting and may result in a more favourable risk rating.

SUPPLEMENTARY EVIDENCE — NOT REQUIRED BUT VALUABLE

• Your internal vulnerability scan results (executive summary) showing
  the current patch compliance rate for systems used in our engagement

• Results of your most recent phishing simulation programme:
  click rate, completion rate, trend over time

• Evidence that your staff with access to our systems have completed
  security awareness training in the past 12 months

• Your business continuity plan executive summary, specifically the
  recovery time objective (RTO) for the service(s) you deliver to us

• Evidence of your own internal security audit conducted in the past
  12 months (audit scope, findings count by severity, corrective action
  plan status)

• Your penetration test executive summary (if not already required
  under C2 above)

• A summary of security improvements you have made in the past 12 months
  as a result of the prior year's assurance review

Section 3 — How to submit certification evidence

3.1 — ISO 27001 certificate submission

What to submit: - PDF of the current certificate issued by the certification body - The certificate number (appears on the certificate face) - The certification body's name (must be UKAS-accredited in the UK, or an IAF MLA member internationally) - The scope statement (exactly as it appears on the certificate) - The valid-to date

How we verify it: We check the certificate number against the certification body's public register or against the UKAS database at ukas.com. We also check the certification body's accreditation. A certificate from an unaccredited body does not satisfy the ISO 27001 certification requirement.

Scope issues: If the scope on your certificate does not explicitly cover the systems or services used in our engagement, we will ask you to explain this at the assurance review. The most common scope issue is a certificate scoped to "head office operations" where our engagement is delivered from a regional office or a cloud environment that is not in scope. Where the scope genuinely does not cover your engagement, we will agree with you what supplementary evidence covers the gap.

If your certificate is being renewed: ISO 27001 certificates are typically renewed on a three-year cycle (Stage 2 recertification audit) with annual surveillance audits. If your certificate is in the process of renewal at the time of our submission deadline, contact the CISO. We will accept a letter from the certification body confirming that the certificate is current while renewal is in progress.

What is not acceptable: - A certificate whose valid-to date has passed - A certificate from a body that is not UKAS-accredited or an IAF MLA member - A draft or "in progress" certificate without confirmation from the certification body that the certificate is being issued - A certificate where the scope has been materially reduced since it was originally issued, without explanation

3.2 — Cyber Essentials Plus certificate submission

What to submit: - PDF of the current CE Plus certificate - The certificate number (appears on the certificate; used for verification at ncsc.gov.uk/cyberessentials/search) - The name of the licensed assessor body - The scope as stated on the certificate - The valid-to date (CE certificates are valid for 12 months from the assessment date)

How we verify it: We verify the certificate number at the NCSC's online verification service. A certificate that cannot be verified there is treated as unverified until verification is possible.

The difference between CE basic and CE Plus: CE basic is a self-assessment — the supplier declares their posture and the certification body reviews the declaration. CE Plus involves a licensed assessor conducting technical verification on a sample of the supplier's devices and systems. Only CE Plus satisfies the Critical-tier certification requirement. CE basic alone is not sufficient for Critical-tier suppliers.

What the CE Plus assessment covers: The CE Plus assessor will have verified, on a sample of your devices, that: your firewall configuration blocks unapproved inbound connections; your devices are running patched, supported operating systems; your devices have active, current antivirus; your user accounts require MFA for cloud services; and your administrative accounts are separated from standard user accounts. The scope of devices tested is defined by the scope statement on the certificate.

If your CE Plus scope does not cover all systems used in our engagement: This is the most common CE issue for suppliers. Confirm with your assessor before the annual assessment which systems and sites will be included in the scope. If your engagement with us involves systems outside the CE Plus scope, we need to understand how those systems are secured.

Annual renewal: CE Plus certificates expire 12 months after the assessment date. Begin the renewal process no later than 8 weeks before the expiry date — the technical assessment requires scheduling and the remediation window, if issues are found, needs to be within the validity period.

3.3 — SOC 2 Type II report submission

What to submit: - The full SOC 2 Type II report, or a management summary you have prepared. Confirm with the CISO which format is appropriate before submission — for some engagements, a management summary is sufficient; for others, we need the full report. - The trust service categories covered (Security must be included; Availability, Confidentiality, Processing Integrity, and Privacy are additional) - The period covered by the report - The name of the auditing CPA firm (must be AICPA-accredited) - A copy of the management's response to any exceptions noted in the report

What we look for in a SOC 2 report: - The opinion — is it unqualified (clean), qualified, or adverse? An unqualified opinion with no exceptions gives us the highest assurance. Qualified opinions or reports with exceptions need to be understood in the context of your engagement. - The trust service criteria — particularly the Common Criteria (CC) that relate to logical access, incident response, and monitoring - Exceptions noted by the auditor — each exception is a control that was not operating effectively during the audit period. We will ask you about exceptions at the assurance review meeting, particularly any that relate to access management, incident response, or change management. - The testing period — a SOC 2 report for a testing period more than 12 months ago is considered stale. If your most recent SOC 2 Type II report is more than 12 months old, contact the CISO before the submission deadline.

SOC 2 without ISO 27001: A SOC 2 Type II report is acceptable in lieu of ISO 27001 for most Critical-tier suppliers. The CISO will assess whether the SOC 2 trust service categories and testing scope are sufficient for your specific engagement. For CUI-handling engagements, the CISO may require additional evidence to confirm NIST 800-171 alignment.

3.4 — CMMC certificate submission (if applicable)

What to submit: - A copy of your CMMC Level 2 certificate (if you have completed a C3PAO assessment) - The certificate number (verifiable through the Cyber AB portal at cybermarketplace.net) - The assessment date - The name of the C3PAO that conducted the assessment

CMMC self-assessment (if no C3PAO certificate): Most suppliers in our supply chain are at the self-assessment stage of CMMC — they have not yet undergone a C3PAO assessment but have conducted an annual self-assessment and submitted their SPRS score. If this is your situation, provide the CMMC evidence package specified in Section 2.2 (C1) rather than a certificate.

SPRS score verification: We may verify SPRS scores directly if we have a DoD government portal account or through our prime contractor. Do not submit a score that differs from what you have submitted to SPRS — the submission date and score must be consistent.

3.5 — What to do if your certification is in a gap period

A gap period is the time between your previous certificate expiring and your new certificate being issued. Gap periods should be avoided — plan your renewals to avoid them — but they occur, especially where assessors have capacity constraints.

If you are in a gap period at the time of submission:

  1. Contact the CISO at least 4 weeks before the submission deadline. Do not wait until the submission deadline to tell us your certificate has lapsed.
  2. Provide a letter from your certification body (for ISO 27001) or assessor (for CE Plus) confirming that the assessment is booked and the assessment date. This is a bridge document — it does not satisfy the certification requirement but shows that the gap is being actively managed.
  3. Provide a self-declaration confirming that your security controls have not materially changed since your last certificate was issued.
  4. Agree with the CISO an interim risk acceptance that covers the gap period. This is a management decision — the CISO will present the gap and the proposed mitigation to the relevant Director for sign-off.

A supplier who is in a gap period without having notified us — where we discover the lapse at the submission review — will receive a finding in their assurance assessment. The risk rating impact depends on the length of the gap and the nature of the engagement.

Section 4 — How to submit your evidence package

4.1 — Submission method

Email submission: Send all evidence to [ciso@organisation.com] with the subject line: SUPPLIER ASSURANCE — [Your company name] — [YYYY]

File organisation: Organise your submission as a single email or a compressed archive (.zip) with the following structure:

[CompanyName]_SupplierAssurance_[YYYY]/
│
├── 01_Questionnaire/
│   └── CriticalSupplierAssuranceQuestionnaire_[YYYY]_Signed.pdf
│
├── 02_Certification/
│   ├── ISO27001_Certificate_[CertNumber]_[ValidTo].pdf
│   OR
│   ├── CEPlus_Certificate_[CertNumber]_[ValidTo].pdf
│   OR
│   ├── SOC2_Report_[Period]_[AuditorName].pdf
│
├── 03_NamedIndividuals/
│   └── NamedIndividuals_[YYYY].xlsx
│
├── 04_IncidentHistory/
│   └── IncidentHistory_[YYYY].pdf
│   OR
│   └── NilIncidentDeclaration_[YYYY]_Signed.pdf
│
├── 05_SubContractors/
│   └── SubContractorRegister_[YYYY].xlsx
│
├── 06_CMMC/ (if applicable)
│   ├── SPRS_Score_Confirmation_[YYYY].pdf
│   └── POAMSummary_[YYYY].pdf (if SPRS < 110)
│
├── 07_DEFSTAN/ (if applicable)
│   └── DEFSTAN_EvidencePackage_Profile[N]_[YYYY].pdf
│
├── 08_PersonalData/ (if applicable)
│   └── PersonalDataProcessingEvidence_[YYYY].pdf
│
└── 09_Supplementary/ (optional)
    └── [Any additional evidence]

File naming convention: Use descriptive filenames that include the document type, your company name abbreviated, and the year. Do not submit files named "Document1.pdf" or "Scan.pdf" — these create processing problems on our side.

File size: If your total submission exceeds 25MB, contact the CISO for a secure file transfer link before the deadline.

Confirmation of receipt: We will acknowledge receipt by email within 3 business days of submission. If you have not received an acknowledgement within 3 business days of the deadline, contact the CISO.

4.2 — Submission deadline and late submission policy

Deadline: [31 March] annually

Late submission policy:

LATE SUBMISSION CONSEQUENCES

1–14 days late:
  CISO contacts you to confirm reason for delay and revised date.
  No immediate consequence to access or risk rating.
  Noted in your assurance record.

15–30 days late:
  CISO sends formal notice requiring submission within 5 business days.
  If no response: temporary amber rating applied; commercial contact
  informed.

31–60 days late:
  Management notification on our side.
  Access review initiated — access may be suspended pending receipt of
  submission, depending on the risk level of your engagement.
  You are responsible for any commercial consequences of access suspension.

More than 60 days late / no submission:
  Access suspended pending submission and assurance review.
  This is a breach of your contractual assurance obligations.
  We reserve the right to treat this as a material contract breach.

Late submission is not treated as wilful non-compliance if the supplier communicates proactively. If you know your submission will be late — because your CE Plus renewal is behind schedule, because a key person is on extended leave, or for any other reason — contact the CISO before the deadline. An agreed extension is not a late submission.

Section 5 — The assurance review meeting

5.1 — What the meeting is

The assurance review meeting is a 30–45 minute structured conversation between our CISO and your CISO (or equivalent — the person who signed the questionnaire or an appropriate representative). It is not a presentation — it is a two-way discussion.

The meeting is not optional for Critical-tier suppliers. A supplier who submits a questionnaire and evidence package but does not attend an assurance review meeting has not completed the annual assurance cycle.

Format: Video conference or in-person, depending on geography and preference. Video conference is the default.

Scheduling: We will contact you to schedule the meeting within 10 business days of receiving your submission. Meetings are typically held between May and June to allow time for reviewing submissions received by the March deadline.

Who should attend from your side: - Your CISO or equivalent (the person accountable for information security at your organisation) - Optionally: a technical member of your security team who can answer detailed questions about your controls

Who will attend from our side: - Our CISO (always) - Optionally: our IT Manager or Security Analyst if technical questions about our systems are expected

5.2 — Standard meeting agenda

SUPPLIER ASSURANCE REVIEW MEETING — STANDARD AGENDA

1. Introductions and confirmation of attendees (5 minutes)

2. Questionnaire confirmation (10 minutes)
   Our CISO confirms that the questionnaire was reviewed and raises any
   clarification questions arising from the written submission.
   Focus: items where the questionnaire answer and the supporting evidence
   appear inconsistent; items where additional context would be helpful.

3. Certification discussion (5 minutes)
   Confirmation that the certification is current, scope is appropriate,
   and any upcoming renewals or changes are understood.
   For ISO 27001: any findings from the most recent audit; status of any
   open corrective actions.
   For CE Plus: any remediation required before the certificate was issued.

4. Open issues from the prior year (5 minutes)
   Review of any findings or actions from the previous year's assurance review.
   Have the prior year's actions been completed?

5. Incident history (5 minutes)
   Discussion of any security incidents in the past 12 months, whether
   reportable to us or not. Focus on incidents that affected your security
   posture, controls, or personnel with access to our data.

6. Current security posture and changes (10 minutes)
   What has changed in your security programme in the past 12 months?
   Any new tools, processes, or governance changes?
   Any planned changes in the next 12 months that we should be aware of?
   Any known risks or vulnerabilities that have not yet been addressed?

7. Actions and next steps (5 minutes)
   Any follow-up items from the meeting: additional evidence requested;
   corrective actions agreed; timelines confirmed.
   Confirmation of next annual cycle date.

5.3 — What happens after the meeting

Within 5 business days of the meeting, the CISO will:

  1. Update your risk rating in the critical supplier register (Green / Amber / Red)
  2. Send you a brief meeting summary including any agreed actions and timelines
  3. File the questionnaire, evidence package, and meeting notes at: EV-C → Risk Management → Supplier Assessments → [Supplier name] → [YYYY]
  4. Notify management if your risk rating has changed to Red or if there are material findings requiring a management decision

You will receive the meeting summary within 5 business days. If you disagree with any aspect of the summary or the agreed actions, respond within 5 business days of receiving it.

Section 6 — The right-to-audit clause

6.1 — What the right-to-audit clause means

Your contract with us includes a right-to-audit clause. This section explains what that clause means, when we would invoke it, and what you can expect if we do.

The clause itself (standard wording from our supplier contract template):

"The Supplier shall permit [Organisation Name] and its authorised representatives to conduct security assessments, audits, or inspections of the Supplier's information security controls, systems, and processes relevant to the delivery of the Services under this Agreement. The Supplier shall provide reasonable cooperation, including access to documentation, personnel, and systems reasonably required for the assessment. [Organisation Name] shall provide not less than [14] calendar days' written notice of a planned assessment, except where a security incident requires more immediate access, in which case [Organisation Name] shall provide such notice as is reasonably practicable in the circumstances."

What it means in plain terms: We have the contractual right to verify your security controls independently, beyond what you declare in the annual questionnaire. We can do this by reviewing your documentation, interviewing your security personnel, or (where necessary) technically verifying specific controls.

6.2 — When we would invoke the right-to-audit

The right-to-audit is not an instrument of distrust — it is a compliance mechanism. We include it in every critical supplier contract because our ISO 27001 Annex A 5.22 obligation, our DFARS supply chain responsibilities, and our DEFSTAN supply chain obligations all require us to have the ability to verify, not merely declare, that our Critical suppliers are meeting their obligations.

In practice, we expect to invoke it rarely. The most likely triggers are:

TRIGGERS FOR INVOKING THE RIGHT-TO-AUDIT

Reactive triggers (incident-driven):
  • A security incident at your organisation has affected or may have
    affected our data, and we need to verify the scope of the impact
    and the adequacy of your remediation
  • We have discovered evidence (through our own monitoring or a third-party
    tip) of a potential security issue at your organisation that was not
    disclosed in your annual assurance submission
  • Your annual assurance questionnaire contains an answer that is
    inconsistent with what our own logs or monitoring shows, and we need
    to resolve the discrepancy

Compliance-driven triggers:
  • Our ISO 27001 certification body has identified supply chain security
    verification as a requirement of our annual surveillance audit, and
    we need to demonstrate we have performed independent verification
  • Our DoD prime contractor has asked us to verify a specific control
    in our supply chain and your organisation is part of that chain
  • Our DEFSTAN contracting authority has requested a supply chain
    assessment and your organisation handles OFFICIAL data for us

Risk-driven triggers:
  • Your risk rating has been elevated to Red and we need to verify
    that remediation actions have been completed before reinstating
    your access
  • Your certification has lapsed and we need to verify that your
    controls remain effective during the gap period
  • You are a new Critical-tier supplier completing your first year
    of engagement with us and we want to baseline our understanding
    of your security posture beyond the self-assessment

What does NOT trigger an audit: - Routine commercial dissatisfaction — the right-to-audit is a security mechanism, not a commercial negotiating tool - Curiosity — we will not audit simply to see how you operate - The fact that an audit is contractually possible — the right exists; we will not exercise it arbitrarily

6.3 — What an audit would involve

If we invoke the right-to-audit, we will:

  1. Provide 14 calendar days' written notice of our intention to conduct an assessment, unless a security incident requires more immediate access. The notice will specify: the reason for the audit; the scope (what systems, controls, or processes we will assess); the proposed format (documentation review, personnel interviews, or technical testing); and the proposed dates.

  2. Agree the scope with you before starting. We are not entitled to an unlimited trawl through your systems and data. The scope of our audit right is limited to the systems, controls, and processes relevant to our engagement. We will agree the specific scope before the audit begins.

  3. Conduct the audit with minimal disruption. We will work with your security team to conduct the assessment in a way that does not materially disrupt your operations. We will not require production system access for testing purposes without your agreement and your IT team's involvement.

  4. Use qualified assessors. If we engage an external specialist to conduct the audit, we will notify you of the specialist's identity and credentials before the audit begins. The specialist will be bound by our own confidentiality obligations to you.

  5. Treat your information as confidential. Any information we collect during an audit — including your security architecture, control configurations, vulnerability findings, and personnel information — is treated as your confidential information. It will not be disclosed to third parties except as required by our own regulatory reporting obligations or with your written consent.

  6. Provide you with the findings. After the audit, we will provide you with a written summary of findings within 10 business days. Findings will be classified by severity (Critical, High, Moderate, Low). For each finding, we will provide a description, the evidence that supports the finding, and a recommended remediation timeline.

  7. Agree a remediation plan. For Critical and High findings, we expect a remediation plan within 20 business days of receiving the findings report. We will confirm the plan is adequate and will follow up at an agreed date to verify completion.

6.4 — Your rights during an audit

You can request that the audit scope be limited to what is relevant to our engagement. If we request access to systems or information beyond what is reasonably connected to our engagement, you can challenge that request. The right-to-audit is scoped to our engagement — not to your entire business.

You can request that the auditors be bound by a confidentiality agreement. If we are using external assessors, you can ask that they sign a confidentiality agreement before the audit begins. We will accommodate this request.

You can have your legal counsel review the audit request. The 14-day notice period is partly designed to allow you this opportunity. If you have concerns about the scope, format, or legality of an audit request, raise them within 5 business days of receiving the notice so that they can be resolved before the audit begins.

You can propose an alternative form of verification. If we have requested an audit for a specific reason (for example, to verify a particular control), you may propose an alternative form of evidence that satisfies the same requirement. We will consider proposals in good faith. An alternative is only acceptable if it provides equivalent assurance to what the audit would have produced.

6.5 — What happens if you refuse an audit

Refusing to cooperate with a reasonable, properly-notified audit request is a breach of your contract. The right-to-audit is a contractual provision — it is not optional and cannot be retrospectively removed by your refusal.

If you refuse a properly notified audit, we will: 1. Give you 5 business days to reconsider and provide a substantive reason for your refusal 2. Assess whether there is a legitimate reason that we can accommodate (for example, a legitimate legal privilege claim, or a genuine operational constraint on the proposed dates) 3. If no accommodation is possible and the refusal is maintained, treat the refusal as a material contract breach and proceed accordingly

A refusal to cooperate with an audit triggered by a security incident involving our data is a particularly serious breach. In that circumstance, we may have obligations to regulatory authorities (DFARS, ICO, DEFSTAN contracting authority) that require us to demonstrate we have assessed the impact on our data. An audit refusal that prevents us from meeting those regulatory obligations directly creates regulatory risk for us that we will seek to recover from the breaching party.

Section 7 — CISO: how to process submissions

This section is for internal use — CISO and isms-security access only.

7.1 — Submission receipt and triage

On receiving each submission, the CISO:

  1. Sends an acknowledgement to the supplier within 3 business days confirming:
  2. Submission received
  3. The assurance reference: SA-[YYYY]-[CompanyCode]-[NNN]
  4. Provisional scheduled date for the assurance review meeting

  5. Any immediately obvious missing items (so the supplier can address them before the review)

  6. Opens or updates the supplier record in Confluence at: EV-C → Risk Management → Supplier Assessments → [Supplier name] → [YYYY]

  7. Starts the review checklist in Section 7.2 below

7.2 — Submission review checklist

CISO SUBMISSION REVIEW CHECKLIST

Assurance reference: SA-[YYYY]-[CompanyCode]-[NNN]
Supplier: [Name]
Submission date: [DATE]
Reviewer: [CISO name]

MANDATORY ITEMS — verify each:

M1 — Certification evidence:
  ☐ Certificate / report received
  ☐ Certificate type: ISO 27001 / CE Plus / SOC 2 / CMMC
  ☐ Certificate number: [number]
  ☐ Valid-to date: [date] — not expired: ☐ Yes  ☐ No
  ☐ Independently verified: ☐ Yes  ☐ Failed verification — action: _________
  ☐ Scope covers our engagement: ☐ Yes  ☐ No — discuss at review
  ☐ Issuing body is accredited: ☐ Yes  ☐ No — [specify issue]

M2 — Named individuals register:
  ☐ Received in correct format
  ☐ Count: [N] individuals
  ☐ Cross-referenced against our Entra ID / ACS access logs:
      Individuals in submission not in our logs: [N] — [names if any]
      Individuals in our logs not in submission: [N] — [names if any — RED FLAG]
      Accounts not accessed in >12 months: [N] — discuss at review
  ☐ Screening dates — all preceded access creation dates: ☐ Yes  ☐ No
      If No: [name(s) where screening date is after access date — RED FLAG]

M3 — Questionnaire:
  ☐ Received and signed by appropriate authority (CISO / Director level)
  ☐ All sections completed (no blanks)
  ☐ Blocking findings from questionnaire review:
      Section C (privileged access): any "No" to individual accounts or MFA:
        ☐ None  ☐ Found: [describe]
      Section D (devices): unsupported OS or patch SLA >14 days:
        ☐ None  ☐ Found: [describe]
      Section F (incidents): unreported incidents affecting our data:
        ☐ None  ☐ Found: [describe — RED FLAG if unreported]
      Section H (certification): lapsed or out-of-scope certification:
        ☐ None  ☐ Found: [describe]
      Section I (exceptions): any open exceptions not previously agreed:
        ☐ None  ☐ Found: [describe]

M4 — Incident history:
  ☐ Received — content: [nil incidents statement / [N] incidents described]
  ☐ Cross-referenced against our incident log:
      Any incidents in our records not disclosed: ☐ None  ☐ Found — RED FLAG
  ☐ Any incidents not previously notified within required timelines:
      ☐ None  ☐ Found: [describe — discuss at review]

M5 — Sub-contractor register:
  ☐ Received — [N] sub-contractors listed
  ☐ All previously CISO-approved: ☐ Yes  ☐ No — unapproved sub-contractors: [names]
  ☐ DPAs in place for all data-processing sub-contractors: ☐ Yes  ☐ No

CONDITIONAL ITEMS — verify as applicable:

C1 — CMMC (if applicable):
  ☐ SPRS score: [N] — date submitted: [DATE]
  ☐ Consistent with prior year: ☐ Yes  ☐ Changed — [direction and magnitude]
  ☐ Affirmation signed by named senior official: ☐ Yes  ☐ No
  ☐ POA&M summary received (if score <110): ☐ Yes  ☐ No — items: [N]
  ☐ Any open POA&M items directly relevant to our engagement: ☐ None  ☐ Yes: [describe]

C2 — DEFSTAN (if applicable):
  ☐ Profile [N] evidence received
  ☐ Evidence covers all mandatory items for that profile: ☐ Yes  ☐ Partial: [gaps]
  ☐ Personnel screening summary — BPSS dates all precede access dates: ☐ Yes  ☐ No

C3 — Personal data (if applicable):
  ☐ DPA reference confirmed current: ☐ Yes  ☐ No — action: [_________________]
  ☐ Sub-processor list received and complete: ☐ Yes  ☐ No

OVERALL SUBMISSION ASSESSMENT:

Blocking issues (prevent assurance cycle progressing until resolved):
  [List any, or "None"]

Issues to discuss at assurance review meeting:
  [List any, or "None"]

Proposed risk rating (subject to assurance review):
  ☐ Green — no material issues
  ☐ Amber — issues identified with agreed remediation path
  ☐ Red — material issues without agreed remediation or unexplained gaps

Assurance review meeting scheduled: [DATE/TIME]
Confirmed with supplier: ☐ Yes  ☐ Pending

CISO signature: _________________________ Date: ___________________

7.3 — Post-assurance review actions

Within 5 business days of the assurance review meeting:

  1. Send the meeting summary to the supplier contact
  2. Update the critical supplier register with the confirmed risk rating
  3. Update the management-facing view (Supplier Governance and Business Continuity Oversight page)
  4. For Red-rated suppliers: notify the relevant Director within 24 hours and prepare the management decision paper
  5. Create EV-A03 corrective action entries for any findings that require follow-up
  6. File all documents at: EV-C → Risk Management → Supplier Assessments → [Supplier name] → [YYYY]

7.4 — Evidence filing structure at EV-C

EV-C → Risk Management → Supplier Assessments → [Supplier name] → [YYYY]

Document                           Filename convention
──────────────────────────────────────────────────────────────────────────────
Questionnaire (signed)             SA-[YYYY]-[Code]-Questionnaire-Signed.pdf
Certificate (ISO 27001)            SA-[YYYY]-[Code]-ISO27001-Cert-[CertNo].pdf
Certificate (CE Plus)              SA-[YYYY]-[Code]-CEPlus-Cert-[CertNo].pdf
SOC 2 report / summary             SA-[YYYY]-[Code]-SOC2-Report-[Period].pdf
CMMC evidence package              SA-[YYYY]-[Code]-CMMC-Evidence.pdf
DEFSTAN evidence package           SA-[YYYY]-[Code]-DEFSTAN-Profile[N].pdf
Named individuals register         SA-[YYYY]-[Code]-Individuals-[YYYY].xlsx
Incident history                   SA-[YYYY]-[Code]-IncidentHistory-[YYYY].pdf
Sub-contractor register            SA-[YYYY]-[Code]-SubContractors-[YYYY].xlsx
Personal data evidence             SA-[YYYY]-[Code]-PersonalData-[YYYY].pdf
CISO review checklist              SA-[YYYY]-[Code]-ReviewChecklist.pdf
Assurance meeting notes            SA-[YYYY]-[Code]-MeetingNotes-[DATE].pdf
Meeting summary (sent to supplier) SA-[YYYY]-[Code]-MeetingSummary-[DATE].pdf
Risk rating confirmation           SA-[YYYY]-[Code]-RiskRating-[Green/Amber/Red].pdf

Retention: 3 years from submission date
DEFSTAN-related records: contract duration + 3 years post-contract

Section 8 — Contacts and further information

PRIMARY CONTACT FOR ALL ASSURANCE QUERIES:

CISO: [CISO name]
Email: [ciso@organisation.com]
Phone: [CISO direct line]

Please use the following subject line prefixes for email:
  SUPPLIER ASSURANCE — [Your company name] — [YYYY]    (for submissions)
  SUPPLIER ASSURANCE QUERY — [Your company name]        (for questions)
  SUPPLIER ASSURANCE MEETING — [Your company name]      (for meeting scheduling)

SUBMISSION DEADLINE: [31 March] annually

RELATED PAGES:
  Standard-tier obligations:    Supplier Security Obligations
  Critical-tier obligations:    Critical Supplier Security Obligations
  Incident reporting:           Supplier Incident Reporting
  Data handling rules:          Data Handling and Classification Rules for Suppliers
  Onboarding:                   Supplier Onboarding
  Management view:              Supplier Governance and Business Continuity Oversight

EXTERNAL VERIFICATION RESOURCES:
  ISO 27001 certificate lookup:  UKAS register at ukas.com/find-an-organisation
  CE certificate lookup:         ncsc.gov.uk/cyberessentials/search
  CMMC C3PAO certificate lookup: cybermarketplace.net
  SOC 2 auditor accreditation:   aicpa-cima.com/membership/directory

Confluence page version and review

Version Date Prepared by Key changes
1.0 [DATE] CISO Initial publication

Page owner: CISO · Review cycle: Annual (December — ahead of each assurance cycle) · SCM: isms-all-staff (read), isms-management (read), isms-it-staff (read), isms-security (full) · Questions: [ciso@organisation.com]