Supplier Information Security Policy

1. Introduction

This Supplier Information Security Policy outlines the expectations and requirements for all suppliers working with Retrospect Labs to align with the ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements. Compliance with this policy is mandatory for all suppliers, vendors, and third-party service providers (collectively referred to as “suppliers") that process, store or transmit sensitive information on our behalf.

Information is considered sensitive if it relates to our internal capabilities, our customers, or data marked as “COMMERCIAL IN CONFIDENCE”.

2. Objective

The objective of this policy is to ensure that the supplier's security controls align with the requirements of ISO/IEC 27001:2022 to protect the confidentiality, integrity, and availability of Retrospect Labs information.

3. Scope

We shall assess all current and future supplier to determine whether they fall under this Policy. As a general rule, the policy would apply to suppliers that meet the following criteria:

• Will possess, at any stage, data that we classify as “INTERNAL USE ONLY” or above.
• Perform a service where our reputation is influenced by the performance or conduct of the supplier.
• Our employee managing the supplier believes it is in our best interest to apply this policy to the supplier.

Relevant suppliers are required to complete our Supplier Cyber Risk Questionnaire.

4. Policy

4.1 Supplier risk assessment

Suppliers must undergo regular risk assessments to identify security risks related to the services provided to Retrospect Labs. The level of risk management must be proportionate to the potential impact on Retrospect Labs.

4.2 Information security management

Suppliers shall implement and maintain practices aligned with ISO/IEC 27001:2022 requirements, ensuring that:

• Confidentiality, integrity, and availability of Retrospect Labs information are preserved.
• Legal, regulatory, and contractual obligations are met.
• Security performance is continuously monitored and improved.

4.3 Personnel security

Suppliers must ensure that their personnel who have access to sensitive Retrospect Labs information are vetted, trained, and aware of their information security responsibilities.

4.4 Access control

Suppliers shall restrict access to sensitive Retrospect Labs information to authorised personnel only and ensure proper authentication and authorisation mechanisms are in place.

4.5 Cryptographic controls

Where applicable, suppliers shall use cryptographic controls to protect the confidentiality and integrity of sensitive Retrospect Labs information.

4.6 Physical and environmental security

Suppliers must secure physical access to systems and infrastructure that process sensitive Retrospect Labs information to prevent unauthorised access, damage, or interference.

4.7 Operations security

Suppliers shall implement and manage operational procedures and responsibilities to ensure the secure operation of information processing facilities.

4.8 Communications security

Suppliers shall manage and protect sensitive Retrospect Labs information in networks and the protection of connected services.

4.9 System acquisition, development, and maintenance

Suppliers shall ensure that information security is an integral part of their information systems across the entire lifecycle.

4.10 Supplier relationships

Suppliers must agree to comply with these requirements and demonstrate their compliance upon request. Additionally, Suppliers are responsible for ensuring their own suppliers align with these security requirements when accessing sensitive Retrospect Labs information.

4.11 Audit and review

We may conduct audits and reviews of your information security practices to ensure compliance with this policy.

4.12 Incident management

Suppliers shall report information security incidents promptly to our point of contact, and must cooperate in incident investigation and resolution.

4.13 Business continuity management

Suppliers must have business continuity and disaster recovery plans that align with our requirements and ISO/IEC 27001:2022.

5. Compliance and enforcement

Non-compliance with this policy may lead to suspension or termination of the supplier's contract with Retrospect Labs.

6. Review and update

This policy shall be reviewed and updated regularly or when significant changes occur within Retrospect Labs or regulatory environment.

7. Acknowledgment

Any questions regarding this policy, please contact the Retrospect Labs Information Security Manager (ISM) at security@retrospectlabs.com.