/
Supply Management

Supply Management

PURPOSE

HIC (Health Informatics Centre) requires the security of its information to be maintained in order to ensure that it is able to rely on its information for its business needs and meets its statutory, regulatory and contractual obligations. 

SCOPE

This SOP applies to all third party suppliers and service providers, including Information and Communication Technology (ICT) and cloud service providers. It also applies to any of the aforementioned suppliers who access, process, or manage information on behalf of the organisation.

RESPONSIBILITIES

ROLE

RESPONSIBILITY

Responsible Contact

  • Ensure supplier selection follows the University of Dundee’s Procurement Policy where applicable.

  • Conduct risk assessments before engaging with a supplier.

  • Maintain records of supplier contracts, agreements and compliance documents.

  • Verify supplier compliance with security standards.

  • Assess and mitigate risks associated with supplier services.

  • Ensure access to HIC information assets is granted on a need-to-know basis.

  • Manage onboarding and offboarding processes.

  • Conduct periodic supplier performance reviews.

Supplier

  • Adhere to contractual agreements, service levels, and compliance requirements.

  • Report security incidents to HIC.

  • Ensure secure handling, storage, and disposal of HIC data upon contract termination.

Process Manager

  • Senior staff or delegated process manager whom is responsible for managing the process.

DEFINITIONS

  • Asset: Anything that has a value to HIC Services.

  • Data: Information held in electronic or paper form.

  • Data Controller: A group or individual responsible for determining the purposes for which and the manner in which any personal data are, or are to be, processed. For example, NHS Tayside and Fife are Data Controllers for regional NHS data processed on their behalf by HIC Services.

  • Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, and audio-visual. 

  • Information Security: Preservation of confidentiality, integrity, and availability.

  • Information Systems: Any system, service or infrastructure used to process information or the physical locations housing them. This includes critical business environments, business processes, business applications (including those under development), computer systems and networks. 

  • Personal Data: Information relating to an identified or identifiable living person. The 8 Data Protection Principles in relation to protecting personal data are listed in the Policy document.  

  • Risk: The potential for an unwanted event to have a negative impact as a result of exploiting a weakness. It can be seen as a function of the value of the asset, threats, and vulnerabilities.

  • Risk Assessment: Overall process of identifying and evaluating risk.

  • Service: Combination of people, processes, and technology to support client's business.

  • Third Party: Person or body that is recognised as being independent of HIC Services.

SUPPLIER CLASSIFICATION

HIC might have several contracts with a single Supplier. This is why the classification is done on the contract level and not the supplier level. Suppliers contracts will be classified based on the potential impact of their services on the organisation’s information security and/or operations.

  • Critical Contracts: Critical contracts are the provision of goods or services essential to a company’s core operations, production, or business continuity. The failure of a critical contract could significantly impact the organisation. These contracts include those for ICT systems, or providing essential services such as cloud hosting or software development and may require access to sensitive data.

  • Non-Critical Contracts : Non-critical contracts are the provision of goods or services that are not essential to a company’s core operations, production, or business continuity. The failure of a non-critical contracts would have minimal impact on the organisation, as the products or services can be easily replaced or sourced from alternative supplier and contracts require limited or no access to sensitive data.

PROCEDURE 

1. Supplier Selection

  • Supplier selection must follow University of Dundee’s Procurement Policy where applicable.

  • A HIC risk assessment must be conducted before entering into a new agreement with a supplier.

2. Supplier Onboarding

  • Where a supplier is contracted to manage a service utilising or connected to HIC information, information assets or information systems, the supplier must ensure that an information security management system employed to secure HIC data, information assets or information systems is in place and where appropriate complies with ISO/IEC 27001. Evidence must be provided to HIC of compliance with the standard, either through formal certification or otherwise to HIC’s satisfaction before any HIC information, information assets or information systems are accessed by the supplier.  

  • A contractual agreement outlining terms, service levels, and compliance requirements must be signed.

  • Suppliers contracts must be categorised into risk tiers (critical vs. non-critical) based on their service and level of access to organisational systems and information.

  • Any handling of personal data beyond the HIC environment must obtain the necessary approvals from the data controller prior to processing.

3. Risk Management

  • Any organisation accessing, processing, communicating, or managing HIC’s information must do so such that HIC’s legal, regulatory and contractual obligations are met.

  • Any identified risks will be addressed through risk mitigation strategies.

  • Access to information assets, systems and premises will be the minimum necessary to achieve business purposes.  

  • Supplier personnel may only enter HIC’s premises with appropriate identification and may only enter areas of HIC’s premises commensurate with their function and, where appropriate (for example, in security areas), escorted by HIC staff.  

4. Supplier Monitoring

  • Supplier performance reviews will be conducted periodically, when a supplier contract end date is near. Supplier performance is measured by evaluating a supplier against business requirement categories of reliability, cost-effectiveness and support responsiveness.

  • Suppliers must have a security incident reporting process in place to a standard and design acceptable to HIC to ensure that any incidents involving HIC information are immediately reported to HIC. Suppliers must agree to undertake any remedial action required by HIC and ensure that this is implemented in an auditable manner.  

  • Any changes to supplier services, such as introducing new technologies, processes, or data access, follows a supplier performance review. This includes assessing the impact of the change.

5. Supplier Offboarding and Termination

  • Agreements may be terminated due to consistent non-compliance, poor performance, or strategic realignment.

  • Upon contract termination, ensure that suppliers return all sensitive data or securely destroy it as per contractual agreements. This applies especially to ICT and cloud service providers.

  • Revoke all access to organisational systems, networks, and data, and confirm that supplier accounts have been deactivated.

6. Record Keeping

  • Maintain accurate and up-to-date records of supplier risk assessments, incident reports, and performance reviews.

  • Store all supplier contracts and agreements to ensure they are readily accessible for audits and compliance checks.

APPLICABLE REFERENCES

  • How To Conduct Supplier Reviews

  • University of Dundee Procurement Policy

DOCUMENT CONTROLS

Process Manager

Point of Contact

Process Manager

Point of Contact

Keith Milburn

hic-ops@dundee.ac.uk

revision number

revision date

revision made

revision by

Revision category

Approved by

Effective Date

revision number

revision date

revision made

revision by

Revision category

Approved by

Effective Date

1.0

01/01.24

  • Moved SOP to Confluence from SharePoint and updated into new template.

Bruce Miller

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/01/24

1.1

04/04/24

  • Updated Roles and Responsibilities.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

5/04/24

1.2

10/04/24

  • Formatted document control table and added in revision category.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/04/24

1.3

19/04/24

  • Updated Approved by title.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

19/04/24

1.4

30/04/24

  • Updated Header to conform with BSI guidelines.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone

30/04/24

1.5

02/05/24

  • Updated links to Definitions in ISMS Glossary.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

02/05/24

1.6

29/04/25

  • Added in supplier monitoring.

  • Added in supplier classifications.

  • Added in onboarding and offboarding rules.

  • Updated roles and responsibilities.

Symone Sheane

Keith Milburn

Material

Leadership Team

16/05/25

1.7

11/07/25

  • Updated point of contact email.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

11/07/25

1.8

03/11/25

  • Added definitions from glossary.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

03/11/25

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.