𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐏𝐨𝐥𝐢𝐜𝐲

www.infosectrain.com | www.azpirantz.com
Vendor
Management
Policy
Vendor
Management
Policy

Revision History
Version
Author
Description of Changes
Release Date
1
XYZ Information Security Manager
XYZ
29/01/2025
:
:
:
:
Version
Author
Reviewed by
Approved by
1
XYZ Information Security Manager
XYZ CTO (Chief Technology Ofﬁcer)
Board of Directors
:
:
:
:

Purpose
Scope
Roles and Responsibilities
Framework
Vendor selection criteria
Onboarding
Vendor Categorization
Offboarding and Termination
Compliance and Enforcement
Policy review and maintenance
04
05
06
07
07
07
08
08
09
10
Table of Contents

04
Purpose
The purpose of this Vendor Management
Policy is to establish a framework for
selecting, onboarding, monitoring, and
terminating relationships with vendors to
minimize risks, ensure compliance with
applicable regulations, and safeguard
organizational resources and data.

05
Scope
This policy applies to all employees,
departments, and business units of XYZ
company that engage with vendors, suppliers,
contractors, service providers, and third-party
organizations. It covers all vendor interactions,
including procurement, onboarding,
compliance, and termination.

06
Roles and Responsibilities
TPRM shall be responsible for
maintaining the vendor inventory.
Responsible for conducting the
security assessments before
onboarding any vendor and
monitoring periodic review
of the vendors.
TPRM shall be responsible for
the development and update
of the vendor management
framework.
Business unit heads shall be
responsible for the vendor
requirements and approval of
vendor selection as well as their
onboarding.
Vendor Manger shall oversee the
entire vendor lifecycle and
manage the vendor system
access.
3.1 TPRM or Third
Party Risk Management
3.2 Business Unit
Heads
3.3 Vendor Manager

07
Framework
4.1 Vendor Selection Criteria
Criteria shall be based on business requirements and needs, compliance with regulatory
standards and certifications and industry reputation.
Conduct a comprehensive vendor risk assessment, including background verification, review
of past performance and legal history.
4.2 Onboarding
Collect necessary documentation including business registration, and regulatory compliance
certifications (ISO 27001, SOC 2, GDPR compliance).
Formalize contractual agreements like Non-Disclosure Agreements (NDAs), Service-Level
Agreements (SLAs).

08
4.3 Vendor Categorization
Vendors shall be categorized into three levels
High: Vendors shall be categorized as high, if they can cause significant financial loss or can
lead to business disruptions beyond 24 hours. Examples: cloud service providers, payment
processors, data centres.
Medium: Vendors shall be categorized as medium, if they support business functions but do not
directly impact core operations and if the disruption time is not more than 24 hours. Examples:
IT support providers, HR outsourcing firms, marketing agencies.
Low: Vendors shall be categorized as low, if they have minimal or no access to sensitive data
and provide non-critical services with low business impact. Examples: office supply vendors,
catering services, cleaning companies.
4.4 Offboarding and Termination
Revoke all system and network access granted to the vendor and retrieve company-issued assets
Verify the destruction of organizational data and update vendor records/inventory to reflect
termination status.
Conduct a final compliance review and risk assessment, if applicable to the vendor.

09
Compliance and Enforcement
Vendors are required to comply with contractual
and policy requirements; non-compliance may
lead to contract termination and legal action.

10
Policy Review and Maintenance
This policy shall be reviewed at least annually or in
response to signiﬁcant regulatory changes and any
modiﬁcations or updates must be approved by
senior management.
Authored by: Dinesh

𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐏𝐨𝐥𝐢𝐜𝐲

More Related Content

Similar to 𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐏𝐨𝐥𝐢𝐜𝐲 (20)

More from InfosecTrain (20)

Recently uploaded (20)

𝐕𝐞𝐧𝐝𝐨𝐫 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐏𝐨𝐥𝐢𝐜𝐲