Supplier security policy (draft)

This policy defines a draft structure for supplier security, aligned to ISO/IEC 27001 expectations. It does not list actual suppliers unless explicitly documented elsewhere.


Owner	Information Security Officer
Contact	infra@lef.tec.br
Version	0.1
Last updated	2025-12-24
Review cadence	Annual (and on material supplier changes)

1. Purpose

Define how LEF evaluates, contracts with, and periodically reviews suppliers that can impact information security.

2. Scope

Applies to third parties that:

host, process, transmit, or access LEF/client data; or
provide core connectivity/security controls; or
materially affect availability of services in scope.

3. Requirements (draft)

3.1 Due diligence (before onboarding)

At minimum:

Confirm the service purpose, data involved, and access required.
Confirm authentication/access approach (SSO/MFA where supported).
Confirm data location/retention expectations (where relevant).
Record decision and owner.

3.2 Contractual expectations

Where applicable (by risk):

confidentiality obligations
incident notification expectations
subcontractor transparency
termination/offboarding expectations and data return/deletion

3.3 Ongoing review

Review cadence based on criticality.
Re-evaluate on major changes (scope, pricing, feature changes, incidents).

4. Keeping “one fact, one place”

Service facts (what it is, entry points, operational notes) live on the relevant /services/** page.
This policy describes the process and expectations; it should not duplicate service inventories.

Records / evidence

Supplier register (in-scope suppliers + criticality):
Due diligence artifacts and approvals:
Periodic supplier reviews:

Suppliers ISO 27001 readiness Risk management Services