Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

02) Does your organisation have formal agreements in place that have appropriate security clauses, including a right to audit and mandatory adherence to security policies?

August 30, 2022
Supply Chain Management
Trickle Down Security

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that contains appropriate security clauses including the right to audit and mandatory adherence to appropriate security policies.

It is important that in your supplier contracts you have defined a level of information security requirements that your suppliers must meet, and that you have imposed audit rights over the supplier to make sure you can get assurance that the requirements are being met.

The contract should also mandate that the supplier has to ‘trickle down’ these requirements onto any of their suppliers who have access to your data.

The following is a list of example security clauses that may need to be included in your contracts:

  • Right to audit. This is a clause that gives your organisation the right to audit and test the supplier’s security controls periodically, or upon significant changes to the relationship.
  • Notification about security breaches. This is a clause requiring the supplier to inform you in a timely manner regarding any security breaches that may impact your business. Generally, this clause is aligned to GDPR’s data breach notification requirements as well.
  • Adherence to security practices. This is a clause requiring the provider to adhere to your defined set of security requirements (such as those measured on Risk Ledger). This looks to prevent security gaps or conflicts that could impair security performance. This clause should also include a ‘trickle down’ requirement that ensures the supplier mandates and checks that its own suppliers fulfil the same security requirements as defined by this clause.
  • Response time to vulnerabilities. This clause can be included in the above adherence to security practices clause. It requires the supplier to provide, in a timely manner, proper treatment for known vulnerabilities that may impact your business.
  • Communication of changes. This clause requires the supplier to inform you in a timely manner of any changes in its environment that may impact your own businesses risk profile.

How to implement the control

Risk Ledger recommends that you use a solicitor to ensure all of your supplier contracts contain the relevant clauses to ensure that all risks (security and other risks) are minimised.

Risk Ledger helps you to make sure your suppliers comply with your information security requirements, to find out more contact us at!

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.