Vendor Management Policy Template for GDPR & ISO 27001
Your suppliers are part of your attack surface and your data-protection obligations. This free Vendor (Third-Party) Management Policy template covers both ISO 27001 (Annex A 5.19–5.22) and GDPR (Article 28), so a single document satisfies your security and privacy auditors.
Use this if you rely on cloud providers, SaaS tools, or any third party that handles your data — which is almost every modern SME. It's required for ISO 27001 and underpins GDPR processor due diligence.
Template
Vendor & Third-Party Management Policy
ISO 27001 A.5.19–5.22 · GDPR Art. 28
1. Purpose & Scope
This policy governs how ✎ Company Name selects, assesses and monitors suppliers and third parties that access its systems or process its data. It applies to all such relationships, including ✎ list critical suppliers, e.g. cloud hosting, payroll, email.
2. Vendor Risk Tiering
Vendors are tiered by the sensitivity of data they handle and their criticality to operations:
- Critical/High — process personal or confidential data, or are essential to service delivery.
- Medium — limited access to internal data.
- Low — no access to sensitive data.
The tier determines the depth of due diligence and the review frequency: ✎ e.g. High = annual review.
3. Due Diligence
Before engagement, vendors are assessed for security and data-protection posture — for example via ✎ security questionnaire, SOC 2/ISO 27001 certificate review, penetration-test summary. Findings are recorded and risks treated or accepted by ✎ role.
4. Contractual Requirements
Agreements with vendors that process personal data include GDPR Article 28 terms: processing only on documented instructions, confidentiality, security measures, sub-processor controls, assistance with data-subject requests, breach notification within ✎ e.g. 48 hours, and return/deletion of data on termination. Security requirements and a right to audit are included for higher-tier vendors.
5. Ongoing Monitoring & Offboarding
Vendor security and performance are reviewed per their tier. On termination, access is revoked promptly and data is returned or securely deleted, with confirmation obtained. The vendor inventory is kept current.
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored Vendor & Third-Party Management Policy instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- List your actual critical suppliers — the inventory is the first thing an auditor checks.
- Match due-diligence depth to the tier; you don't need a full audit of a low-risk vendor.
- Reuse vendors' SOC 2 / ISO 27001 certificates as evidence to speed up due diligence.
- Make sure your Data Processing Agreements actually contain the Article 28 terms summarised here.
- Set review frequencies you'll genuinely keep to, and record each review.
What an auditor looks for
- •Is there a current inventory of suppliers, with risk tiers?
- •Is there evidence of due diligence before engagement for higher-risk vendors?
- •Do contracts with processors contain GDPR Article 28 clauses?
- •Is access revoked and data returned/deleted at offboarding?
Frequently asked questions
Does GDPR require a vendor management policy?+
GDPR Article 28 requires controllers to use only processors providing sufficient guarantees and to have a contract with specific terms. A vendor management policy is how you operationalise and evidence that.
Is this the same as a Data Processing Agreement?+
No — the policy defines how you manage vendors; the DPA is the contract you sign with each processor. The policy ensures every relevant vendor has a compliant DPA in place.
How do I assess a vendor's security quickly?+
Review their SOC 2 report or ISO 27001 certificate, send a short security questionnaire for the gaps, and record the outcome. Tier the depth of review to the risk.