Creating a policy to evaluate the Third Party Security



Hi Group.

Good day.

As part of policy creation am creating a policy to Evaluate the Third Party security.

Can anyone share any templates or provide the inputs what needs to be considered to evaluate the Third Party Security?



Ajay -

I saw your post and didn't know if this would be useful for you at all. Our company is involved in the C-TPAT program for the US Customs Dept. It deals with importing foreign goods and maintaining security for incoming goods. We primarily deal with Manufacturers so our survey is based on US Customer requirements tailored to that group - but they have many more - see

I attached the generic survey we use for Manufacturers - maybe you can pull some ideas from it or find what you need at the above website. We typically ask the manufacturer to complete the survey and then send someone from our facility to verify their responses. Once it is on file then we have a simpler form that we use for three year review cycle. It simply asks for the basic information and whether or not there have been any changes. If there have been, then we ask for a description and re-verify with a site visit. If none - then we just keep it on file.

Let me know if this helps.
~ Geralyn


  • C-TPAT Vendor Survey.doc
    59.5 KB · Views: 222

Richard Regalado

Trusted Information Resource
Hello again.

Writing a policy? Have you assessed the risk coming from 3rd-party security? If not, I suggest you do the risk assessment first. After all, the course of action embodied on your policy is related to your risk.

There are many templates in the Net but you have to customize it to your organization and one way of addressing your specific needs is via assessing your risks.



Richard has hit the nail on the head. A policy document on third party security should set out the requirements and expectation on the third party, the data they use, their method of communications, there own responsibilities to protect data, retain ISO27001 certification etc.

That is only half of the story. How have your existing risk assessments been completed with regards to:

- transmission of data to/from third parties
- third party confidentiality clauses that protect you as the customer
- the integrity of their services - what if they suffer a hack or data breach
- what happens when third party personnel leave?
- any assets (data or tangible) supplied to the third party
- their own business/service continuity arrangements
- etc. etc. etc.

Policy sets directions. Risk assessment demonstrates whether or not security activities and controls are effective. You need a combination of both.
Top Bottom