The purpose of this section is to give a brief outline of the company’s procedures, controls and process when using Third Party Services Providers (Suppliers). It includes an overview of the company’s procedures for supplier assessment, monitoring, performance, security and capabilities.
The use of third party services is essential for the company in order to deliver the high quality services the company’s customers have come to expect.
Risk Assessment
Personal identifiable information (PII)
Any services that hold PII, must be compliant with any local regulation for example GDPR and any customers contracts.
Data storage
Data must be stored in accordance with local regulation for example GDPR and applicable customers contracts.
Operational risk
Is the supplier critical for the company’s services delivered to its customers?
What happens if they're offline?
Who at the company would need to access the supplier service?
Oversight & monitoring
A plan for oversight and monitoring should be in place that takes the risk assessment of the third party service into account.
Cost & Approval
Any new supplier needs approval from the company’s management team together with risk and cost assessments. Any service that holds PII should also get the approval of the CPO.
Third Party Service provider database
All third-party service providers are added to the company’s database.