Agreements for approved suppliers should include a configuration map describing the supplier's solution and its interface with the organisation. This should document data flows, integration points, access mechanisms, and any subprocessors or fourth-party dependencies. The map should form the baseline for defining security responsibilities and supports orderly oversight and exit planning.
The organisation must also document which tasks of security significance are covered under the agreement and assign clear ownership for each. Responsibilities retained by the organisation should be distinguished from those delegated to the supplier. This includes establishing a termination plan that requires the supplier to securely return or delete all organisational data at contract end, confirmed by a signed declaration. Access revocation, credential rotation, and audit log retrieval should also be addressed as part of structured offboarding.
.svg)
