Home Compliance & Certification Vendor Compliance Guide

Vendor Compliance Guide

Last updated on Dec 18, 2025

1. Purpose of This Guide

This guide helps you collect evidence showing that your vendors and contractors are required to meet cybersecurity expectations, not just your internal team.

This matters because:

  • Vendors are a common supply-chain attack path

  • Weak vendor security can undo your own controls

  • You’re expected to set minimum cyber requirements, not just “trust them”

This evidence proves you’ve told your vendors:

“If you work with us, cybersecurity is part of the deal.”

2. What You Will Submit

You will submit evidence that vendors are required to follow cybersecurity rules, such as:

  • Contract clauses or agreements that include cybersecurity requirements

  • Vendor security declarations or questionnaires

  • Procurement or onboarding documents stating minimum cyber controls

  • Screenshots or PDFs showing:

    • Vendor cyber requirements

    • Incident notification obligations

    • Security standards vendors must follow (e.g. Cyber Essentials, ISO 27001)

This is governance evidence, not a technical system screenshot.

3. How to Collect / Obtain / Generate This Evidence

Option A: Contract or Agreement (Most Common)

  1. Open a vendor or contractor agreement

  2. Locate sections covering:

    • Cybersecurity obligations

    • Data protection requirements

    • Incident or breach notification

  3. Export or screenshot the relevant pages only

  4. Redact pricing or commercial terms if needed

💡 Even a single paragraph stating vendors must follow cybersecurity requirements is enough.

Option B: Vendor Cybersecurity Requirements Document

  1. Create a simple document or PDF titled:

    • “Vendor Cybersecurity Requirements”

  2. Include statements such as:

    • Vendors must protect systems used to deliver services

    • Vendors must report cybersecurity incidents affecting your data

    • Vendors must maintain reasonable security controls

  3. Save as PDF and upload

This works especially well if contracts are short or informal.

Option C: Vendor Security Review or Questionnaire (Best Practice)

  1. Use a simple checklist or questionnaire

  2. Capture answers such as:

    • Do you follow recognised security standards?

    • Do you have an incident response process?

    • Will you notify us of a breach?

  3. Save the completed document or screenshot the responses

This supports A.6.4.E nicely, but is not mandatory.

5. Evidence Format

Accepted file types

  • PDF

  • PNG / JPG

Suggested naming format
YourCompanyName_VendorCompliance_Date

Example
AcmePteLtd_VendorCompliance_2025-07-01.pdf

5. What “Good” Looks Like

Your evidence is strong if it shows:

  • Visible element: Explicit cybersecurity requirements for vendors
    Why it matters: Proves expectations are clearly communicated

  • Visible element: Incident reporting or notification obligation
    Why it matters: Demonstrates preparedness for supply-chain incidents

  • Visible element: Applies to vendors or contractors (not just staff)
    Why it matters: Directly satisfies CSA third-party clauses

  • Visible element: Recent or currently used documentation
    Why it matters: Shows this is active, not forgotten paperwork

Simple, clear, and readable beats long and fancy.

6. Tips from Sir Stonk 🛡️

  • You don’t need enterprise-grade audits. A clear contractual requirement already meets the intent for most SMEs.

  • Focus on vendors that matter. IT providers, SaaS tools, developers, MSPs — not your office coffee supplier.

Supply-chain security doesn’t mean distrusting everyone.
It means setting the rules before the drawbridge comes down.4