Supplier Management Policy

Document ID: DPWAT-ISMS-POL-007
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Policy

DP WAT manages information security risks related to suppliers and third parties that provide services, handle DP WAT information, or support DP WAT operations.

2. Supplier categories (risk-based)

• Critical supplier: compromise/outage has major security or operational impact (e.g., identity provider, source code hosting).
• Important supplier: supports operations; impact is moderate (e.g., accounting, travel).
• Low-impact supplier: minimal access or impact (e.g., cleaning services with no information access).

3. Requirements by category

Critical suppliers:

• documented onboarding evaluation,
• contract/terms review (security/privacy as applicable),
• annual review (e.g., check security documentation/certifications where available),
• defined exit/continuity considerations.

Low-impact suppliers:

• basic record in supplier register; no formal ISO/cert requirement unless they access information.

4. Supplier change notification

Critical and important suppliers must notify DP WAT of significant changes that could affect security:

• Changes to security certifications or compliance status
• Major infrastructure changes or migrations
• Changes in key personnel with access to DP WAT data
• Security incidents affecting DP WAT data or services
• Subcontractor changes for services provided to DP WAT

For SaaS providers, DP WAT monitors service status pages and security advisories. For contracted services, notification requirements are included in agreements where applicable.

5. Supplier register

All suppliers used for in-scope activities must be recorded in supplier-register.