Vendor Management Policy by InfosecTrain
priyanshamadhwal2
16 views
10 slides
Mar 12, 2025
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
We understand that third-party risks can impact business security. Here's a πππ§ππ¨π« πππ§ππ ππ¦ππ§π ππ¨π₯π’ππ² document that ensures a structured approach to evaluating, onboarding, and monitoring vendors while maintaining compliance and da...
Slide Content
www.infosectrain.com | www.azpirantz.com
Vendor
Management
Policy
Vendor
Management
Policy
Vendor
Management
Policy
Vendor
Management
Policy
www.infosectrain.com | www.azpirantz.com
Revision History
Version
Author
Description of Changes
Release Date
1
XYZ Information Security Manager
XYZ
29/01/2025
:
:
:
:
Version
Author
Reviewed by
Approved by
1
XYZ Information Security Manager
XYZ CTO (Chief Technology Ofο¬cer)
Board of Directors
:
:
:
:
Revision History
Version
Author
Description of Changes
Release Date
1
XYZ Information Security Manager
XYZ
29/01/2025
:
:
:
:
Version
Author
Reviewed by
Approved by
1
XYZ Information Security Manager
XYZ CTO (Chief Technology Ofο¬cer)
Board of Directors
:
:
:
:
www.infosectrain.com | www.azpirantz.com
Purpose
Scope
Roles and Responsibilities
Framework
Vendor selection criteria
Onboarding
Vendor Categorization
Offboarding and Termination
Compliance and Enforcement
Policy review and maintenance
04
05
06
07
07
07
08
08
09
10
Table of Contents
Purpose
Scope
Roles and Responsibilities
Framework
Vendor selection criteria
Onboarding
Vendor Categorization
Offboarding and Termination
Compliance and Enforcement
Policy review and maintenance
04
05
06
07
07
07
08
08
09
10
Table of Contents
04 www.infosectrain.com | www.azpirantz.com
Purpose
The purpose of this Vendor Management
Policy is to establish a framework for
selecting, onboarding, monitoring, and
terminating relationships with vendors to
minimize risks, ensure compliance with
applicable regulations, and safeguard
organizational resources and data.
Purpose
The purpose of this Vendor Management
Policy is to establish a framework for
selecting, onboarding, monitoring, and
terminating relationships with vendors to
minimize risks, ensure compliance with
applicable regulations, and safeguard
organizational resources and data.
05 www.infosectrain.com | www.azpirantz.com
Scope
This policy applies to all employees,
departments, and business units of XYZ
company that engage with vendors, suppliers,
contractors, service providers, and third-party
organizations. It covers all vendor interactions,
including procurement, onboarding,
compliance, and termination.
Scope
This policy applies to all employees,
departments, and business units of XYZ
company that engage with vendors, suppliers,
contractors, service providers, and third-party
organizations. It covers all vendor interactions,
including procurement, onboarding,
compliance, and termination.
06 www.infosectrain.com | www.azpirantz.com
Roles and Responsibilities
TPRM shall be responsible for
maintaining the vendor inventory.
Responsible for conducting the
security assessments before
onboarding any vendor and
monitoring periodic review
of the vendors.
TPRM shall be responsible for
the development and update
of the vendor management
framework.
Business unit heads shall be
responsible for the vendor
requirements and approval of
vendor selection as well as their
onboarding.
Vendor Manger shall oversee the
entire vendor lifecycle and
manage the vendor system
access.
3.1 TPRM or Third
Party Risk Management
3.2 Business Unit
Heads
3.3 Vendor Manager
Roles and Responsibilities
TPRM shall be responsible for
maintaining the vendor inventory.
Responsible for conducting the
security assessments before
onboarding any vendor and
monitoring periodic review
of the vendors.
TPRM shall be responsible for
the development and update
of the vendor management
framework.
Business unit heads shall be
responsible for the vendor
requirements and approval of
vendor selection as well as their
onboarding.
Vendor Manger shall oversee the
entire vendor lifecycle and
manage the vendor system
access.
3.1 TPRM or Third
Party Risk Management
3.2 Business Unit
Heads
3.3 Vendor Manager
07 www.infosectrain.com | www.azpirantz.com
Framework
4.1 Vendor Selection Criteria
Criteria shall be based on business requirements and needs, compliance with regulatory
standards and certiο¬cations and industry reputation.
Conduct a comprehensive vendor risk assessment, including background veriο¬cation, review
of past performance and legal history.
4.2 Onboarding
Collect necessary documentation including business registration, and regulatory compliance
certiο¬cations (ISO 27001, SOC 2, GDPR compliance).
Formalize contractual agreements like Non-Disclosure Agreements (NDAs), Service-Level
Agreements (SLAs).
Framework
4.1 Vendor Selection Criteria
Criteria shall be based on business requirements and needs, compliance with regulatory
standards and certiο¬cations and industry reputation.
Conduct a comprehensive vendor risk assessment, including background veriο¬cation, review
of past performance and legal history.
4.2 Onboarding
Collect necessary documentation including business registration, and regulatory compliance
certiο¬cations (ISO 27001, SOC 2, GDPR compliance).
Formalize contractual agreements like Non-Disclosure Agreements (NDAs), Service-Level
Agreements (SLAs).
08 4.3 Vendor Categorization
Vendors shall be categorized into three levels
High: Vendors shall be categorized as high, if they can cause signiο¬cant ο¬nancial loss or can
lead to business disruptions beyond 24 hours. Examples: cloud service providers, payment
processors, data centres.
Medium: Vendors shall be categorized as medium, if they support business functions but do not
directly impact core operations and if the disruption time is not more than 24 hours. Examples:
IT support providers, HR outsourcing ο¬rms, marketing agencies.
Low: Vendors shall be categorized as low, if they have minimal or no access to sensitive data
and provide non-critical services with low business impact. Examples: ofο¬ce supply vendors,
catering services, cleaning companies.
4.4 Offboarding and Termination
Revoke all system and network access granted to the vendor and retrieve company-issued assets
Verify the destruction of organizational data and update vendor records/inventory to reο¬ect
termination status.
Conduct a ο¬nal compliance review and risk assessment, if applicable to the vendor.
Vendors shall be categorized into three levels
High: Vendors shall be categorized as high, if they can cause signiο¬cant ο¬nancial loss or can
lead to business disruptions beyond 24 hours. Examples: cloud service providers, payment
processors, data centres.
Medium: Vendors shall be categorized as medium, if they support business functions but do not
directly impact core operations and if the disruption time is not more than 24 hours. Examples:
IT support providers, HR outsourcing ο¬rms, marketing agencies.
Low: Vendors shall be categorized as low, if they have minimal or no access to sensitive data
and provide non-critical services with low business impact. Examples: ofο¬ce supply vendors,
catering services, cleaning companies.
4.4 Offboarding and Termination
Revoke all system and network access granted to the vendor and retrieve company-issued assets
Verify the destruction of organizational data and update vendor records/inventory to reο¬ect
termination status.
Conduct a ο¬nal compliance review and risk assessment, if applicable to the vendor.
09 www.infosectrain.com | www.azpirantz.com
Compliance and Enforcement
Vendors are required to comply with contractual
and policy requirements; non-compliance may
lead to contract termination and legal action.
Compliance and Enforcement
Vendors are required to comply with contractual
and policy requirements; non-compliance may
lead to contract termination and legal action.
10 www.infosectrain.com | www.azpirantz.com
Policy Review and Maintenance
This policy shall be reviewed at least annually or in
response to signiο¬cant regulatory changes and any
modiο¬cations or updates must be approved by
senior management.
Authored by: Dinesh
Policy Review and Maintenance
This policy shall be reviewed at least annually or in
response to signiο¬cant regulatory changes and any
modiο¬cations or updates must be approved by
senior management.
Authored by: Dinesh
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 16
- Slides 10
- Age 263 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp β Evocation; lanΓ§amento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
29 views