Supply Management

PURPOSE

HIC Services requires the security of its information to be maintained in order to ensure that it is able to rely on its information for its business needs and meets its statutory, regulatory and contractual obligations.  Such security is critical to achieve and maintain ISO/IEC 27001:2013 based security controls. 

SCOPE

This will cover all suppliers to HIC which have an effect on the security of its information

RESPONSIBILITIES

PROCEDURE

Steps 

1. Where possible, service monitoring is performed throughout the entire life of a service / project within HIC. In the occurrence of an important event, relevant members of staff are notified. Levels of expected service will be agreed with the Client during the requirements stage. 

2. Any organisation accessing, processing, communicating, or managing HIC’s information must do so such that HIC’s legal, regulatory and contractual obligations are met.   

3. Any handling of personal data beyond the HIC environment must obtain the necessary approvals from the data controller prior to processing   

4. Access to information assets and systems will be the minimum necessary to achieve business purposes.  

5. Supplier personnel may only enter HIC’s premises with appropriate identification and may only enter areas of HIC’s premises commensurate with their function and, where appropriate (for example, in security areas), escorted by HIC staff.  

6. Where a supplier is contracted to manage a service utilising or connected to HIC information, information assets or information systems, the supplier must ensure that an information security management system employed to secure HIC data, information assets or information systems is in place and where appropriate complies with ISO/IEC 27001. Evidence must be provided to HIC of compliance with the standard, either through formal certification or otherwise to HIC’s satisfaction before any HIC information, information assets or information systems are accessed by the supplier.  

7. Suppliers must have a security incident reporting process in place to a standard and design acceptable to HIC to ensure that any incidents involving HIC information are immediately reported to HIC. Suppliers must agree to undertake any remedial action required by HIC and ensure that this is implemented in an auditable manner.  

APPLICABLE REFERENCES

• Registered company office address and registration number in the UK 

• For Definitions see ISMS Glossary

QUALITY RECORDS

• Supplier Assessment

• Catalogue of suppliers

DOCUMENT CONTROLS