Supplier purchase process considerations
If you are buying a service or product, there are other considerations that you must be aware of before completing the procurement process.
Supplier purchase process
The Information Security team provides guidance and support during your research phase for suppliers, through to your final selection procurement stages.
To ensure that we have time to review products or services with you, we strongly advise that you get in touch with us at least six weeks prior to completing any purchase.
Why do we consider information security as part of the supplier purchase process?
Third-party risk management is crucial in procurement because it helps the university protect itself from potential disruptions, financial losses, and reputational damage that can arise from engaging with external vendors and suppliers. Effective third-party risk management ensures business continuity, safeguards financial interests, and maintains a positive brand image.
When do you need to consider information security supplier assurance?
When the supplier is holding, processing, transferring, or retaining any university data on servers, applications, or devices. If you are unsure, please consult the Information Security Team.
Guidance for the initial stages of finding a supplier
1. First, contact the Information Security Team by email to inform us about the product or services you are considering for purchase.
Email the Information Security Team
2. We will review the information about the product or services and work with you to provide advice to ensure the supplier meets all security considerations and standards for UofG.
3. Inform/consult with Procurement Office for legal reasons:
- You will then be guided by Procurement on the most appropriate option
Please review the two options below with guidance from Procurement Office:
1. Option A
If you have been advised by Procurement to contact and review three or more suppliers, you should ask each of the suppliers to complete the Initial Supplier Assurance questionnaire and return it to you.
- Initial supplier assurance questionnaire (UofG) (Word, 35.7KB)
Send the completed questionnaire to the Information Security Team by email.
- This information will be reviewed by the team. We will assess if the supplier meets and complies with the standards and cyber security considerations for UofG. We will liaise with you during this process, which will help with your initial scoring of suppliers.
2. Option B
Full Tender Process – If you have been advised by Procurement Office that you will need to go through a full tender process, the Initial Supplier Assurance questionnaire should be sent to each supplier wishing to bid on your behalf.
Once this documentation is completed and returned to Procurement, it will be passed to the Information Security Team to review.
Please note that the Information Security Team is not involved in the tender scoring but only from an advisory perspective on information security and cyber risk.
Find out more
Data protection
You must consider the collection of personal and other data and how it will be used, including
- Privacy notices (states how individuals' data will be used)
- Data sharing with third parties (to ensure compliance with data protection legislation)
- Data Protection Impact Assessment (DPIA) (this may be required)
Find out more
Contact the Data Protection & Freedom of Information Office for more advice on personal data and data sharing.
Digital accessibility
We have legal obligations to ensure our digital content is accessible under the Equality Act 2010 and Digital Accessibility Regulations 2018.
The product or service must also conform to the Web Content Accessibility Guidelines (WCAG) 2.2 AA and all digital systems and content must include appropriate accessibility statements.
These are also the legal requirements for a supplier, and you must request evidence of product compliance from them.