Supplier Information Security Policy

The purpose of this policy is to protect our information assets, ensure suppliers apply appropriate security controls, and support compliance with laws and standards such as GDPR and ISO/IEC 27001:2022.

1. PURPOSE

This policy establishes the mandatory information security requirements that all suppliers and sub-suppliers must follow when handling, accessing, storing, processing, or transmitting data on behalf of Wilhelmsen Ship Management.

Its purpose is to:

  • Protect our information assets from unauthorized access, misuse, loss, or disclosure.
  • Ensure that suppliers implement appropriate technical and organizational controls to safeguard data throughout its lifecycle.
  • Support our commitment for compliance with applicable laws and regulations, including GDPR, and internationally recognized standards such as ISO/IEC 27001:2022.

All suppliers are required to comply with this policy as a condition of doing business with Wilhelmsen Ship Management.

2. SCOPE AND APPLICABILITY

This policy applies to all suppliers who:

  • Access or process sensitive, confidential, or personal data.
  • Interface with critical IT systems or infrastructure.
  • Delivering services that may impact confidentiality, integrity, or availability of our information assets.

These requirements complement the Wilhelmsen Ship Management Onboarding Questionnaire, Wilhelmsen Ship Management General Conditions of Purchase, and Wilhelmsen Ship Management Framework Agreement.

3. SUPPLIER RISK CLASSIFICATION

Suppliers are classified based on the potential impact they may have on our information security environment. The classification guides the level of oversight, security requirements, and monitoring applied throughout the supplier relationship.

Risk levels include:

  • High Risk:
    Suppliers with access to sensitive or confidential data, critical systems, or services where a security breach could significantly affect our operations, compliance obligations, or business continuity.
  • Low Risk:
    Suppliers with minimal or no access to sensitive data or systems, where the security impact is limited.

Risk classification is determined during supplier onboarding and is reviewed periodically or whenever a material change occurs in the supplier’s services, technology, or risk profile.


4. SECURITY REQUIREMENTS

Suppliers must implement and maintain security controls aligned with our internal standards and ISO/IEC 27001, including:

  • Access Control: Strong authentication and Multi-Factor Authentication (MFA) for remote access
  • Data Separation: Logical separation of our data from other customer data
  • Logging & Monitoring: Maintain audit logs for access and system changes
  • Malware Protection: Deploy and update antivirus and anti-malware tools
  • Vulnerability Management: Conduct regular scans and penetration testing.
  • Encryption: Encrypt sensitive data at rest and in transit
  • Cybersecurity Risk Management: Safeguards against unauthorized access, breaches, and disruptions
  • Business Continuity: Backup and disaster recovery plans
  • Security Awareness: Regular training for staff handling our data
  • Subcontractor Compliance: Ensure subcontractors meet equivalent security standards

5. DATA PROTECTION AND CONFIDENTIALITY

All data supplied by our organization and accessed or processed by suppliers is strictly confidential and must be protected in accordance with GDPR requirements and all applicable contractual obligations.

Suppliers must:

  • Securely store, transmit, process, and delete our data using appropriate technical and organizational safeguards to ensure confidentiality, integrity, and availability.
  • Refrain from disclosing our data to any third party without our prior written consent, unless such disclosure is required by law. In such cases, suppliers must notify us in advance where legally permitted.

Suppliers remain responsible for ensuring that any subcontractors involved in service delivery follow the same data protection and confidentiality requirements.


6. INCIDENT MANAGEMENT

Suppliers must promptly report any actual or suspected cybersecurity incident, data breach, system compromise, or security threat that may affect our systems, services, or data. All incidents must be reported to us within 48 hours of discovery, or earlier where required by law or contract.

Incident reports must include, at minimum:

  • A description of the incident, including timeline, systems affected, and how it was identified.
  • An initial impact assessment, outlining potential or confirmed effects on the confidentiality, integrity, or availability of our data.
  • Mitigation and containment actions taken, along with planned next steps to remediate vulnerabilities and prevent recurrence.

Suppliers are required to fully cooperate with our teams during incident investigation and remediation activities and must not withhold any relevant information.

7. COMPLIANCE AND AUDIT

We reserve the right to audit the supplier’s systems, processes, and controls to verify ongoing compliance with contractual, regulatory, and information-security requirements. This may include, but is not limited to:

  • Requesting up-to-date certifications (e.g., ISO 27001, SOC 2, or equivalent).
  • Reviewing security documentation, including vulnerability assessments, penetration test results, and corrective action plans.
  • Conducting periodic or ad hoc audits, either remotely or onsite, with reasonable notice, to assess technical, operational, and data-handling practices.

Suppliers must fully cooperate with our audit activities and promptly address any identified gaps or non-conformities.


8. CHANGE NOTIFICATION

Suppliers must notify us of any significant changes that may affect the security of the services provided. This includes, but is not limited to:

  • Service enhancements or modifications
  • Updates to internal policies or procedures
  • Adoption of new technologies or platforms
  • Changes in key personnel or subcontractors involved in delivering the service
  • Upon receiving such notifications, we may:
  • Request supporting documentation
  • Conduct a security or risk assessment
  • Update the supplier’s risk classification
  • Schedule additional audits or verification activities

Failure to disclose material changes may result in a reassessment of the supplier relationship or contract terms.


9. TERMINATION AND OFFBOARDING

Upon termination of the supplier relationship or contract:

  • All access to our systems must be revoked within 24 hours.
  • All data belonging to us must be securely returned or permanently destroyed using approved methods.
  • A Certificate of Data Destruction must be provided to confirm secure disposal.
  • Relevant documentation must be retained for audit or legal purposes and provided upon request.

Suppliers must ensure that all subcontractors and third parties involved in service delivery follow the same offboarding requirements.