Supplier security policy
Published: 26 February 2025Freedom of information class: How we procure goods and services
This policy outlines our security requirements when working with stakeholders outside of RoS, such as suppliers and partner organisations.
Table of contents
Purpose and scope
1.1 This policy sets out the requirements to be met when engaging with individuals or organisations external to RoS (‘third parties’), which require access to RoS information assets. Third parties include contractors, suppliers, service providers, partners and other stakeholders supporting our service delivery.
1.2 This policy covers activities undertaken under contractual or commercial arrangements, including the supply of goods and services to or by us, and to activities conducted under other non-commercial agreements or arrangements.
1.3 This policy covers access to all our information assets, whatever their format or sensitivity, and wherever they are created, used or stored. Information assets include all our data and electronic information, software and applications, hardware and equipment, and hardcopy information.
1.4 This policy is subordinate to the overarching RoS Information Security Policy.
Risk management
2.1 Third party access to our information assets must be risk-assessed by relevant colleagues prior to access being enabled. The risk assessment must consider each of the following as applicable:
2.1.1 Prior to Risk Assessing a new Supplier engagement, the Supplier Catalogue must be reviewed/procurement engaged to determine if there is already in place an approved supplier who can provide the service
2.1.2 The level and duration of the access and privileges required by the third party, restricting these to the minimum required to perform the agreed tasks – these should be monitored over time and third parties made aware of this.
2.1.3 The security controls implemented by the third party - all prospective suppliers must be subject to the third-party due diligence process administered by procurement colleagues, prior to being enabled with access.
2.1.4 The suitability of personnel to access our information assets - all contractors must be subject to the required vetting for their role, prior to being enabled with access.
2.1.5 The legal controls implemented between us and the third party – agreements and arrangements must be formally documented and include details of the respective legal, regulatory and information security responsibilities of each party, including how data will be transferred, deleted or destroyed upon termination/cessation.
2.2 Risks to information assets which are identified must be recorded and assessed by relevant colleagues. A named risk owner must be identified, made aware of the risk, and lead on risk treatment or tolerance.
2.3 Periodic reviews of suppliers, where cadence is mandated by the supplier risk profile.
2.4 Risks to information assets must be reviewed during the lifetime of the arrangement with the third party to ensure that any changing risk exposure is identified and treated appropriately.
2.5 This policy must be brought to the attention of any third party with whom we enter an arrangement or agreement requiring the provision of access to our information assets and should form part of our procurement and supply/purchasing procedure.
Third party obligations
3.1 Third parties must:
3.1.1 Have in place the required organisational and technical security controls to preserve and monitor the confidentiality, integrity and availability of RoS information assets.
3.1.2 Upon request, provide details about the organisational and technical security controls that protect information assets, including:
- Locations of facilities used in the provision of services and where RoS information may be communicated and/or stored
- Assurance activities involved in monitoring the control effectiveness
- Security education and awareness programmes for personnel supporting client data and infrastructures
3.1.3 Demonstrate compliance with all relevant RoS information security policies, guidelines and procedures, as well as the requirements of applicable legislation and regulation.
3.1.4 Inform us without delay of any of the following events which might compromise the confidentiality, availability, or integrity of our information assets:
- Relevant security events or incidents, including near misses
- Deficiencies in security controls that cannot be immediately remediated
- Changes to the service overall or security controls used to provide the service Employee actions or procedural failures
- Changes to or incidents within a sub-contractor service
3.1.5 Report such events to our IT Security Team, Procurement account lead and Data Protection Officer (dataprotection@ros.gov.uk), and supply post-event information detailing the cause, protective measures, lessons learned and improvement actions without delay.
Third party supply chains
4.1 Regarding their own sub-contractors and suppliers, third parties must:
4.1.1 Conduct security due diligence of each sub-contractor or supplier, prior to allowing the subcontractor to access any of our information assets and provide evidence of due diligence activities to RoS Information Security Personnel upon request.
4.1.2 Satisfy themselves that each sub-contractor or supplier has implemented appropriate organisational and technical security controls to protect our information assets, equivalent to those implemented by the third party itself, and monitor these to prevent unauthorised access or use.
4.1.3 Suppliers are responsible for ensuring that written agreements are in place for all sub-contractors forming part of the supply chain providing services to RoS.
4.1.4 Provide the name, address and location of all sub-contractor or supplier on request
4.1.5 Provide details of the organisational and technical security controls in place to protect our information assets, and the monitoring of these, on request.
4.1.6 Have processes and procedures in place to report information security events as per 3.14.
Roles and responsibilities
5.1 All RoS employees and contingent workers are bound by the commitments of this policy, and:
5.1.1 Are required to effectively operate the range of procedures and controls which facilitate compliance in practice.
5.1.2 Must report any non-conformances of or improvement to policy requirements to the Information Security Assurance Group (ISAG).
5.2 Managers and Team Leads must ensure that all relative processes, products or service support compliance of this policy.
5.3 The ISAG has ownership of this policy and is responsible for enforcement of its requirements.
5.4 The ISAG is accountable for Information security, which includes requirements for the protection and handling of RoS Information Assets.
5.5 Frameworks (or agreements) must be in place to ensure that all partners within a supply chain are aware of the policy requirements and understand their responsibilities for compliance.
5.6 This policy should be part of the publication scheme. Internally all employees should be made aware of the policy. Any third-party suppliers engaged to conduct work for or on behalf of RoS must also be made aware of this policy. The policy must be a mandatory read for all colleagues out-with core Registration roles, GPC cardholders and contractors working within these areas.
Approval and review
This policy will be reviewed and approved by the Information Security Assurance Group (ISAG) annually, unless earlier review is appropriate.
| Author | Information Assurance Advisor | ||
|---|---|---|---|
| Reviewed | Head of Information Security, Risk & Assurance | ||
| Cleared | Director of Policy and Corporate Services and Accountable Officer – Information Security Assurance Group (ISAG) | ||
| Approval | Information Security Assurance Group (ISAG) | Approval date | February 2025 |
| Policy version | 3.0 | ||
| Review responsibility | Information Security Assurance Group (ISAG) | Review date | February 2026 |
| Publication scheme | Yes | ||
| Email to contact | |||