Supplier Information Security Expectations

Updated 27.01.2026

A document forming part of the Immercial IMS.

Contact us

14. Supplier Information Security Expectations

Document Name: Supplier Information Security Expectations
Version: 1.0
Approved by: Directors, Immercial Limited
Review Frequency: Annual or upon material change

14.1 Purpose

This document sets out Immercial Limited’s expectations regarding information security for suppliers and service providers whose services may involve access to, processing of, or impact on information assets.

It supports ISO 27001 requirements and aligns with Immercial’s risk-based, proportionate approach to supplier management.

14.2 Scope

These expectations apply to suppliers and service providers that may:

  • Process or store Immercial information

  • Support digital platforms or cloud services

  • Have access to client, commercial, or proprietary data

  • Influence the confidentiality, integrity, or availability of information

Low-risk suppliers are managed pragmatically.

14.3 Security Expectations

Suppliers are expected, where appropriate, to:

  • Protect information from unauthorised access or disclosure

  • Apply reasonable security controls relevant to the service provided

  • Restrict access to authorised personnel only

  • Support secure handling, storage, and transmission of information

  • Notify Immercial of security incidents that may affect information assets

Formal certification (e.g. ISO 27001 or Cyber Essentials) is beneficial but not mandatory unless justified by risk.

14.4 Contractual & Operational Controls

Where appropriate, security expectations are addressed through:

  • Contracts or service agreements

  • Platform terms and conditions

  • Access control restrictions

  • Use of reputable, industry-recognised providers

14.5 Supplier Review

  • Supplier security considerations are reviewed when onboarding new suppliers.

  • Changes to supplier services or risk profile may trigger review.

  • Security issues involving suppliers are recorded and addressed through corrective actions where required.

14.6 Responsibility

Senior management is responsible for:

  • Determining which suppliers are in scope

  • Applying proportionate security expectations

  • Reviewing supplier-related risks

14.7 Records & Evidence

Evidence may include:

  • Supplier lists

  • Evaluation notes

  • Contracts or agreements

  • Security-related correspondence

Records are maintained in accordance with the Document & Record Control Procedure.

14.8 Review & Improvement

This document is reviewed annually or when changes to supplier arrangements or risk profile occur.

Immercial Limited