[Organisation] · Third-Party / Vendor Risk Policy
Version 1.0 · Owner: [Role] · Approved: [Date] · Classification: Internal
Purpose
To manage the security and compliance risks introduced by vendors and other third parties.
Scope
Applies to any third party that accesses, processes or stores [Organisation] data or connects to its systems.
Policy statements
- Vendors are risk-assessed before onboarding, proportionate to the data and access involved.
- Contracts include security, confidentiality, data-protection and breach-notification obligations.
- Vendor access follows least privilege and is reviewed periodically.
- Higher-risk vendors are reassessed on a defined cadence and on material change.
- Vendor offboarding includes access revocation and data return or destruction.
Review
Reviewed annually and after any significant vendor incident.
Template provided by CyberSigma for adaptation. Replace bracketed placeholders and tailor to your environment before adopting. This is guidance, not legal advice.
