Printed from CheckTick DSPT Compliance Documentation
Supplier Security Assurance Procedure
1. Scope
This procedure applies to all new and existing suppliers identified as 'Critical' or 'Data Processing' in the CheckTick Supplier Register.
2. Pre-Contract Due Diligence
Before a contract is signed or a service is utilized, the CTO/SIRO must verify:
- Security Accreditations: Does the supplier hold ISO 27001, SOC2 Type II, or Cyber Essentials?
- Data Residency: Where is the data stored? (Preference for UK/EEA).
- Data Protection Agreement (DPA): Does the supplier offer an Article 28 compliant DPA?
3. Approved Accreditation Standards
CheckTick accepts the following certifications as evidence of 'appropriate security':
- ISO/IEC 27001:2013 or 2022 (Information Security Management)
- SOC2 Type II (Security, Confidentiality, and Availability)
- Cyber Essentials / Cyber Essentials Plus (UK Government Standard)
- CSA STAR (Cloud Security Alliance)
4. Annual Audit
During the Q1 Security Review, the SIRO will:
- Re-download/verify the latest ISO/SOC2 certificates for Northflank.
- Confirm that no major security breaches have been reported for the supplier in the preceding 12 months.
- Update the Supplier Register with the 'Next Review' date.