Accreditations, insurances and data protection

Ensuring that the vendor has the right accreditations and insurances is an important part of the procurement process as these will help protect you as a customer. You also need to find out about their cyber security and data protection policies to ensure your data will be kept safe.

If you are transferring data outside of the EEA, the GDPR imposes some restrictions. This is important if you are handling client data. It is also important to undertake an independent assessment of the cyber security risks which any new technology introduces.

Example questions

Accreditation and insurance
  • Do you currently hold accreditation under ISO 27001 international standard for information security systems? If you do not, do you plan to obtain it and when?
  • If trading partners are used, please specify their names, addresses, and roles.
  • Which of these organisations, if any, are accredited to BS7799 /ISO 17799:2000?
  • Please provide a list of any other accreditations that you consider relevant and important to the submission.
  • Please provide copies of current insurance policies which would be relevant (including for instance professional indemnity and business interruption).
Data protection and cyber security
  • What is your organisation’s Data Protection Registration Number?
  • Please provide a short statement about the security measures you have in place to protect and manage personal data, addressing Article 5 and in particular Article 5 (2) of GDPR.
  • Where is your data stored? If it is held offsite, please provide full details of where it is stored?
  • Do you hold Cyber Essentials or Cyber Essentials Plus certification?
  • What security configuration and additional controls will be necessary as part of the system set up? How will they be maintained and by whom?
  • Please provide a short statement on the business continuity plans you have in place to protect your organisation and its continued business function.
  • What are your protocols if you suffer a data breach? When and how will you inform us?

IT Procurement Guide

Download a full pdf version of the guide

Read more