Supplier Onboarding and Review

Document ID: DPWAT-ISMS-PROC-006
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)

1. Onboarding

1. Identify supplier and service, and whether they handle DP WAT information.
2. Categorize supplier (critical/important/low-impact).
3. Perform evaluation proportionate to category (security/privacy/availability).
4. Record in supplier register.
5. Ensure contractual terms are acceptable (NDA/DPA where needed).
6. If the supplier is a professional services provider (e.g., accounting, legal) and will receive/access DP WAT information, obtain a proportional security acknowledgement using template-third-party-minimal-security-acknowledgement.

2. Annual review (for critical and important suppliers)

• Re-check vendor security posture evidence where available (e.g., ISO/SOC reports, security whitepapers).
• Review any incidents/outages and consider corrective actions or exit plans.
• Record review evidence in 07-records/<year>/supplier-reviews/.

3. SaaS and cloud provider verification

For SaaS and cloud providers (e.g., Google, GitHub, AWS, Azure, Cloudflare), DP WAT verifies security posture by:

1. Checking the vendor's security/trust documentation (security whitepapers, trust center).
2. Confirming relevant certifications (ISO 27001, SOC 2 Type II).
3. Reviewing standard terms (DPA, acceptable use) for GDPR compliance where applicable.
4. Noting any significant security incidents affecting DP WAT services.

This verification is recorded in a supplier review record. DP WAT does not negotiate custom security terms with major SaaS providers; instead, we select reputable vendors with strong security programs and verify their published security posture.

4. ICT supply chain considerations

DP WAT manages ICT supply chain risk by:

• Selecting reputable, established vendors with demonstrated security programs (certifications, security teams, incident response).
• Preferring vendors with transparent security practices (published security documentation, compliance reports).
• Monitoring vendor security announcements and advisories.
• Maintaining awareness of vendor dependencies and considering alternatives where single-vendor risk is material.

5. Low-impact and general services suppliers

For low-impact suppliers that do not access DP WAT information systems (e.g., travel booking, car services, insurance, training):

• DP WAT uses reputable, established providers.
• No formal security evaluation is required.
• Record in supplier register for completeness.
• Standard consumer/business terms apply.

Examples: airlines (Lufthansa, TAROM, HiSky), hotel booking (Booking.com), car leasing (Autonom), insurance (NN Asigurari).

6. Third-party consultants and contractors (PFA/SRL)

For IT contractors and consultants (PFAs, SRLs) who access DP WAT or customer systems:

• Selection based on technical competence and professional reputation.
• Policy acknowledgement required (see 04.01-people-onboarding-offboarding-and-third-parties).
• Access provisioned per 04.02-access-request-changes-and-offboarding.
• Recorded in access register and training register.