HomeGuidesSupply-Chain Security › SCS-03
SCS-03 Supply-Chain Security 8% of OML score

Are vendors required to follow basic security or data protection expectations?

Do you have a written list of security rules that all your vendors and service providers must follow when they handle your company data or systems? This question asks whether you've told your vendors what they must do to keep your information safe, or if you just hire them and hope they do the right thing.

Why This Matters to Your Business

If you don't tell vendors what security standards they must follow, they may store your customer data on unsecured phones, share passwords openly, or lose files containing business secrets. A real scenario: an Indian textile exporter hired a logistics vendor who stored delivery records and customer contact details in an unencrypted Excel file on a shared folder—leading to a data breach that exposed 5,000 customer phone numbers and a ₹50 lakh lawsuit. Without clear vendor security expectations, you also fail DPDP Act compliance audits and lose customer trust when they ask if your vendors are secure. Your customers may simply stop buying from you if you can't prove your supply chain is protected.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written vendor security requirements at all. Your vendors sign a generic purchase order or agreement with no mention of data security, passwords, access controls, or confidentiality.

Level 1
Initial

You have mentioned security once in conversation or email to a vendor, but there is no written document. When auditors ask what security rules vendors must follow, you cannot show them anything in writing.

Level 2
Developing

You have a simple written vendor agreement that includes basic security clauses like 'keep data confidential' and 'use password protection,' but you never check if vendors actually follow these rules. You have the document, but no way to verify compliance.

Level 3
Defined

You have a vendor security checklist or agreement that covers passwords, data handling, incident reporting, and access controls. You review vendor answers to this checklist before hiring them, but you don't follow up after they start work.

Level 4
Managed

You have detailed vendor security requirements in writing, you review them before hiring, and you conduct annual check-ins or simple audits to confirm vendors are still following the rules. You also terminate vendors who ignore security expectations.

Level 5
Optimised

Your vendor security program is documented and enforced consistently. You classify vendors by risk level, apply stronger controls to high-risk vendors, conduct regular audits, require incident reporting, maintain a vendor risk register, and have a process to handle vendor security breaches.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Send a one-page email to all current vendors listing five basic security rules: use strong passwords, do not share customer data without permission, report any data loss or theft immediately, store data securely, and restrict access to company information to authorized staff only. Business owner or Operations manager 2 hours
1 → 2 Create a simple one-page 'Vendor Security Agreement' document that includes the five rules from Step 1, ask all vendors to sign and return it. Keep signed copies in a folder labeled 'Vendor Agreements'. Business owner with legal review (optional local lawyer, ₹2,000–5,000) 3–5 days
2 → 3 Expand the vendor security agreement to a simple checklist with yes/no questions: Does your vendor use passwords on all devices? Do they have a process to report data breaches? Can they describe how they store customer data? Send this checklist to all vendors before renewal and document their responses. IT person or manager who knows your vendors 1–2 weeks
3 → 4 Create a 'Vendor Security Assessment Template' (Google Form or Excel sheet with 10–15 questions) covering passwords, data storage, access controls, and incident reporting. Send it to vendors annually and maintain a spreadsheet tracking results. Document any vendor that fails to respond or provides weak answers. IT person or dedicated compliance person 3–4 weeks
4 → 5 Develop a formal vendor risk register that categorizes vendors by risk level (high, medium, low based on data they access), assign different security expectations to each tier, conduct annual risk assessments, require vendors to notify you of any security incidents within 24 hours, and maintain audit logs of all vendor assessments. Review and update the program quarterly. Compliance manager or IT manager with business owner oversight Ongoing (monthly reviews, quarterly updates)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Signed Vendor Security Agreement or Data Protection Addendum from all current vendors
  • Vendor Security Checklist or Assessment Template with documented responses from each vendor
  • List of all vendors with their risk classification (high, medium, low) and the date they were last assessed
  • Record of vendor assessment results (emails, forms, or spreadsheet) showing what security practices each vendor confirmed they follow
  • Incident log or communication record showing how you handled any vendor security breach or non-compliance (if applicable)
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me the written security expectations or agreement that your vendors must follow. Do all vendors have a signed copy?"
  • "How do you verify that vendors are actually following the security rules you set? What is your process for checking compliance?"
  • "Which vendors have access to your customer data, and how are they different from vendors who only deliver goods? Do you apply stronger security rules to data-handling vendors?"
  • "If a vendor had a data breach or security incident, what would happen? Have you ever had to deal with a vendor security issue, and how did you handle it?"
  • "How often do you review or update your vendor security requirements? When was the last vendor assessed or re-assessed?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and send vendor security checklists or assessments without needing custom software Google Forms (free, easy to set up and analyze responses) or Microsoft Forms Typeform (₹1,200–2,500/month) for more professional templates
Store and organize vendor agreements, assessment results, and compliance records securely Google Drive or OneDrive with password protection and sharing controls Microsoft 365 Business Basic (₹200/user/month) for better access control and audit trails
Create a vendor risk register and track compliance status over time Google Sheets or Excel (create your own template with columns for vendor name, risk level, last assessment date, status) Airtable (₹600–1,200/month for teams) or ZenGRC (₹50,000–150,000/year for small teams)
Send automated vendor security questionnaires and track responses Google Forms with email integration or Jotform free tier OnePager (₹30,000–100,000/year) or SecurityScorecard (₹5,00,000+/year for enterprises; too expensive for MSMEs)
🛡
How This Makes You More Resilient
When you have clear vendor security expectations and actually verify them, you avoid data breaches caused by careless vendor practices, which means fewer customer complaints, lower legal costs, and no reputation damage from 'we didn't know our vendor was storing data insecurely' stories. Your business can also respond faster to vendor incidents because you have a list of which vendors touch your most sensitive data and what their responsibilities are. Most importantly, your customers and auditors will trust you more because you can prove you've done your due diligence on supply-chain security.
⚠️
Common Pitfalls in India
  • Creating a vendor security agreement and then never reading vendor responses or following up—having a document but not enforcing it defeats the purpose and auditors will ask for evidence that you actually checked compliance.
  • Applying the same security rules to all vendors regardless of what data they access; a stationery supplier needs less oversight than a cloud storage vendor, but many Indian businesses don't differentiate and waste effort or under-protect high-risk vendors.
  • Forgetting to include Indian-specific vendors (local logistics, BPO firms, contract accountants) in your security program because you assume they are 'too small' to cause harm—the textile exporter breach mentioned above happened with a local logistics partner, not an international firm.
  • Not communicating security expectations clearly in the local language or in plain English; if your Hindi-speaking vendor doesn't understand that 'confidentiality' means they can't share customer phone numbers with their cousin, the agreement is useless.
  • Setting security rules but never updating them; vendor practices and threats change, so agreements written five years ago may not cover cloud storage, remote work, or mobile devices that your vendors use today.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Data Processor obligations) and Schedule 1 (Code of Conduct requiring organizations to ensure processors follow security measures)
CERT-In 2022 Section 6 (Organization to ensure third parties/vendors follow information security practices) and Guidelines on Cybersecurity in Supply Chain
ISO 27001:2022 Clause A.5.23 (Information security for supplier relationships) and A.8.4 (Access control to suppliers)
NIST CSF 2.0 Govern function, GV.RO (Risk and Oversight) category; Supply Chain Risk Management

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →