Supplier management is the workflow for maintaining the inventory of suppliers, third parties, and processors your organisation depends on — with their security posture, ownership, verification method, and connected assets or processing activities. The workflow that anchors supply-chain risk; heavily examined under NIS2 and ISO 27001.
🆕 What's new: The Supplier management workflow brings together what used to be spread across themed lists. Your existing suppliers, owners, verification methods, and assessment records are all here, exactly as they were — just on one focused page.
Setting it up
If you haven't run the guided setup yet, do that first. It's an AI-assisted flow that helps you go from zero to a working supplier register quickly:
- An AI-proposed initial supplier list. Cyberday's AI suggests suppliers based on your integrations and known vendors. You review and confirm.
- Set criticality per supplier. Tier each supplier so the right level of scrutiny is applied.
- Pick the verification method. Choose how each supplier is verified — certification, your own monitoring, or no verification needed for low-risk relationships.
- Send the first security assessments. For relevant suppliers, the workflow dispatches an initial assessment so verification can begin straight away.
You can also configure the workflow manually on the page — the guided version just gets you to a working state in minutes.
What's on the page
Main metrics
The header carries three views of how your supplier oversight is doing:
- Supplier verification level — a donut showing how partners are verified (Certification / Own monitoring / No need)
- Supplier ownership — % of suppliers with a proper data owner assigned
- Supplier assessment status — a stacked bar of Sent / Inquired / Completed / Overdue assessments
Actions to focus on
A prioritised list of what to handle next, grouped into three buckets:
- Unblock — issues stopping the workflow from running properly. For Supplier management: Add first supplier and Suppliers without an owner.
- Strengthen — recommended next moves to make this workflow more robust. Items like Add more suppliers (when fewer than 10 are registered), Suppliers without a verification method, Suppliers without connected assets or processing activities, and Send security assessments for relevant suppliers.
- Maintain — scheduled reviews and check-ins on what's already in place. Review supplier priorities and Review security assessment details.
Clicking into a bucket opens a focused list — you can resolve, refine, or check off each item without leaving the workflow page.
Documentation
The documentation that backs your supplier management practice, organised by partner category:
- System providers — inventory of system and service providers
- Data processors — partners processing personal data on the organisation's behalf
- Other stakeholders — additional partner categories (consultants, advisors, etc.)
A +1 more affordance expands the list beyond the default three categories. Each row shows item count, the related ISMS theme, and the responsible owner.
Tasks
Below the documentation, the workflow page lists the operational tasks — for example, data processing partner listing and owner assignment, criteria for high-priority partners, documentation of other stakeholders, documentation of partner contract status, and documentation of customer groups whose information is processed. Each task shows its theme, status (Untreated / Partly done / Mostly done / Fully done), owner, priority (Low / Normal / High / Critical), and due date.
Reports
The audit-ready outputs Supplier management produces:
- Data processing partners and data processing agreements — the list of partners processing personal data on the organisation's behalf, with the agreements in place and their status
- Supplier security policy — describes the security requirements partners must meet, the verification method per partner type, and how assessments are conducted
Reports refresh from your live data, so they're always current.
How it connects to other workflows
Suppliers connect directly to Asset inventory — each supplier ties to the systems and data they support — and to Risk management for third-party risk. When GDPR is active, suppliers also surface in Privacy management as processors.
