Supplier Evaluation & Control

Updated 27.01.2026

A document forming part of the Immercial IMS.

Contact us

7. Supplier Evaluation & Control

Document Name: Supplier Evaluation & Control Procedure
Version: 1.0
Approved by: Directors, Immercial Limited
Review Frequency: Annual or upon material change

7.1 Purpose

This document defines how Immercial Limited identifies, evaluates, and controls suppliers and service providers whose products or services may impact service quality or information security.

Supplier controls are proportionate to the size, operational model, and risk profile of a micro-company consultancy.

7.2 Scope

This procedure applies to suppliers and service providers that may materially affect:

  • Consultancy service delivery

  • Information security

  • Data handling or system availability

  • Intellectual property protection

Examples include (but are not limited to):

  • Cloud and hosting providers

  • Software and platform vendors

  • IT and security service providers

  • Specialist support services

Low-risk or incidental suppliers are managed pragmatically.

7.3 Supplier Identification

Suppliers are identified and recorded where their involvement could influence:

  • Client deliverables

  • Operational continuity

  • Confidentiality or integrity of information

A formal approved supplier list is maintained where appropriate.

7.4 Supplier Evaluation Criteria

Suppliers are evaluated on a risk basis, considering factors such as:

  • Relevance to service delivery

  • Reliability and performance

  • Information security implications

  • Contractual clarity

  • Alignment with recognised standards or good practice

Formal certification (e.g. ISO or Cyber Essentials) is considered beneficial but not mandatory unless justified by risk.

7.5 Supplier Control Measures

Controls may include:

  • Contractual terms and service agreements

  • Access restrictions to systems or data

  • Periodic review of supplier performance

  • Use of reputable, industry-recognised providers

Supplier controls are designed to be practical and proportionate.

7.6 Supplier Review

  • Key suppliers are reviewed periodically or when changes occur.

  • Issues affecting quality or security are recorded and addressed through corrective actions where required.

  • Supplier performance may be reviewed as part of management review activities.

7.7 Records & Evidence

Supplier records may include:

  • Supplier lists

  • Evaluation notes

  • Contracts or agreements

  • Review outcomes

Records are retained in accordance with the Document & Record Control Procedure.

7.8 Review & Improvement

This procedure is reviewed annually or when changes to suppliers, services, or risk profile occur.

Immercial Limited