Subcontractor & Vendor Policy
Assurance baseline and flow‑downs for partners (Public) • v1.1
Document control
| Owner | Chief Executive Officer | Approver | Chief Executive Officer |
|---|---|---|---|
| Version / date | v1.1 / 25 Sep 2025 | Next review | 01 Jun 2026 |
| Applies to | All Virtus Group staff, contractors and vendors/subcontractors | Distribution | Public |
Purpose & scope
This policy sets baseline expectations and flow-down obligations for subcontractors and upstream vendors engaged by Virtus Group to deliver services to our clients, including government. It complements our internal Vendor Management Standard and Procedure and is intended to be shared with partners.
Classification & due diligence
| Vendor classification | Critical • Important • Non‑Critical (based on service impact and data sensitivity). |
|---|---|
| Assessments | Security posture (ISO 27001/SOC 2/NZISM), privacy, residency, breach history, financial viability, references. |
| Onboarding | Vendor profile, risk assessment, contract approval, induction (security & H&S). |
Contractual requirements (flow‑downs)
- Confidentiality and information handling; storage, transmission, destruction requirements.
- Security safeguards aligned to risk; compliance with applicable law and standards.
- Breach notification: within 24 hours for Critical vendors; within 72 hours for others.
- Right to audit premises/processes; periodic assurance reports (e.g., ISO 27001/SOC 2).
- Sub‑processor control: disclose and obtain approval; ensure equivalent obligations.
- Access control: least‑privilege, time‑bound, logged; immediate offboarding at contract end.
- Exit: return/secure destruction of data; certification provided.
Operational management
| SPOC & escalation | Each relationship has a Single Point of Contact at Virtus Group and at the vendor, with a documented escalation ladder. |
|---|---|
| Performance | SLAs monitored; periodic scorecards and reviews held. |
| Change control | Material service changes trigger re‑assessment of risk and contract terms if required. |
| Monitoring | Annual reviews/self‑assessments; scorecards; risk re‑assessments; audits as needed. |
Exemptions & enforcement
Exemptions to this policy must be approved by the Head of Security & Compliance and the Director, documented, and reviewed annually. Non‑compliance may lead to corrective actions, contract suspension/termination, or regulatory escalation.
Reporting
Report vendor‑related risks, incidents, or issues immediately to compliance@virtusgroup.biz or via the Virtus Group Service Desk (0800 847 887). Urgent data‑breach notifications must follow the timeframes above.
Related documents
- Vendor Management Standard (internal)
- Vendor Management Procedure (internal)
- Information Security Policy, IAM Standard, Encryption Standard, Business Continuity Plan
- Privacy Policy — Operational Summary