Vanta policy template instructions
This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.
For each policy section
Consider if this section and its corresponding risks apply to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.
Replace any highlighted text in angled brackets < >1 with your own language
Rewrite the policy language such that it reflects the practices of your organization
Policy completion checklist
Use Find to make sure that all text in angled brackets is replaced
Proofread your policy for spelling and grammar mistakes
Confirm that the policy’s content reflects your organizations practices
Add any company-specific letterhead, branding, and formatting
Remove this instructions page
Export this document as PDF — File > Save As > Change “File Format” to PDF
Upload the PDF to Vanta at https://app.vanta.com/policies
More questions?
A good rule-of-thumb is to keep your language at a high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.
Third-Party Management Policy
Policy Owner: <Policy owner>
...
Policy Owner: Managing Director
Effective Date: 2023-05-01
| Anchor | ||||
|---|---|---|---|---|
|
To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
This document outlines a baseline of security controls that <Company Name> CloudCard expects partners and other third-party companies to meet when interacting with <Company Name> CloudCard Confidential data.
| Anchor |
|---|
...
|
...
|
All data and information systems owned or used by <Company Name> CloudCard that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of <Company Name> CloudCard and to all external parties, including but not limited to <Company Name> CloudCard consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to <Company Name> CloudCard data, systems, networks, or system resources.
| Anchor |
|---|
...
|
...
|
Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented.
For all service providers who may access <Company Name> CloudCard Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by <Company Name> CloudCard as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR or other frameworks, compliance standards, or regulations.
| Anchor |
|---|
...
|
...
|
Addressing Security in Agreements
Relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of Confidential data and systems, or provide physical or virtual IT infrastructure components for <Company Name>CloudCard.
For all service providers who may access <Company Name> CloudCard production systems, or who may impact the security of the <Company Name> CloudCard production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that <Company Name> CloudCard has established in accordance with <Company Name>’s CloudCard’s information security program or any relevant framework.
Technology Supply Chain
<Company Name> CloudCard will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.
...
| Anchor |
|---|
...
|
Monitoring & Review of Third-Party Services
<Company Name> CloudCard shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually.
...
Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking account of the criticality of the business information, systems, and processes involved. <Company Name> CloudCard shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.
...
| Anchor |
|---|
...
|
<Company Name> CloudCard will ensure that potential risks posed by sharing Confidential data or providing access to company systems are identified, documented and addressed according to this policy. Risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a partner and third-party security policy is to ensure that partnerships and services achieve their business plan aims and objectives, and are consistent with <Company Name>’s CloudCard’s requirements for information security.
<Company Name> CloudCard shall not share or transmit Confidential data to a third-party without first performing a third-party risk assessment and fully executing a written contract, statement of work or service agreement which describes expected service levels and any specific information security requirements.
| Anchor |
|---|
...
|
...
|
All third-parties must maintain reasonable organizational and technical controls as assessed by <Company Name>CloudCard.
Assessment of third-parties which receive, process, or store Confidential data or access <Company Name>’s CloudCard’s resources shall consider the following controls as applicable based on the service provided and the sensitivity of data stored, processed or exchanged.
...
If third-parties are storing or processing confidential data, their physical and environmental security controls should meet the requirements of the <Company Name> CloudCard Physical Security Policy2.
Human Resources
Third-parties maintain human resource policies and processes which include criminal background checks for any employees or contractors who access <Company Name> CloudCard confidential information.
Compliance & Legal
<Company Name> CloudCard shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process or transmit <Company Name> CloudCard confidential data. Third-party assessments should consider the following criteria:
Protection of customer data, organizational records, and records retention and disposition
Privacy of Personally Identifiable Information (PII)
| Anchor |
|---|
...
|
...
|
Requests for an exception to this Policy must be submitted to the <approver of requests for exceptions to this policy, e.g., CFO> for Managing Director for approval.
| Anchor |
|---|
...
|
...
|
...
Version | Date | Description | Author | Approved by |
1. |
0 |
2023- |
03- |
26 |
<First Version>
<OWNER>
<APPROVER>
1 All fields in this document marked by angled brackets < > and highlighted must be filled in.
...
First Version | Ryan Heathcote | Luke Rettstatt | ||