The Centauri Step, Governance and IT Security

Guide to Negotiating with Suppliers | The Centauri Step, governance and IT security

Guide to Negotiating with Suppliers

Marion Mellor

Should Purchasing be left alone to deal with suppliers on IT security issues?

It’s all about preparation…

When the Purchasing department calls on you, it means that there is a contract project with a supplier. Obviously. And therefore a “business operational” within the company who needs a service. Obviously.

Here are the steps I recommend for the day-to-day management of your supplier security audits:

Assess the security criticality of the service. Is it a contract to maintain green plants or a SaaS cloud to manage IS user identities?

Contact the supplier to both send them a questionnaire and notify them of the existence ofa Security Clausier.

The third step is …. WAITING! Yes, waiting for feedback from the supplier on the IT Security requirements for your contracts!

If the approach of the Supplier Reviews is clear for your interlocutor, the contract negotiation starts naturally and its objectives are understood by both parties.


In some cases, the Procurement department sends a model contract as part of the bidding procedure before the supplier has been selected or the contract negotiated. In this case, Purchasing also sends the security questionnaire, and some answers or evidence may be missing – let’s be honest, it’s the case about 90% of the time. The service provider may request adjustments to the contract well before the tender assessor has begun discussions with them. This occurs frequently and you need to be prepared for it.

How much time should you allocate to negotiations?

It is often necessary to adapt the security Schedule to the services concerned by the contract. However, increasingly, organizations prefer to first agree to a model “framework contract” to which “implementation contracts” defining the terms of the service more precisely are then attached. This is the case for large corporate groups, where a framework contract is negotiated by central teams to make it easier for subsidiaries to negotiate preferential rates or prices.


In 25% of cases, you should expect to need at least two hours of back and forths to get to the bottom of a supplier’s reasons for refusing to commit to compliance with your security rules.

In 50% of cases, the security negotiation takes just two or three back and forths between the business and the supplier. Usually, the purpose of this is to adapt the terms, especially where no data is exchanged between the parties – which, in reality, is quite a rare thing. You need to properly investigate the service, and particularly the level of functional support provided. For example, in some cases I have needed to make sure that the business unit has properly understood all the options to which it is subscribing.

And in the remaining 25% of cases, you need to go back to the business unit project manager to ask them to formally accept the risk of a contract with a service provider which refuses some of the security requirements (this can take several days and a lot of going back and forth).

IMPORTANT: It is up to the “business unit” and not “Security unit” to accept the risk. It is not up to Security to veto contracts, but it does have an educational role. It must assess and explain the risks of having a supplier who is not subject to the same security commitments as those in place within the organization.


  1. 1) Take time to understand the supplier’s security maturity level and the criticality of the service being sold. It is always useful to implement a supplier review at the same time as negotiating a contract. This way you can assess the reality of the commitments that the supplier is willing to take.
  2. 2) Always refer back to the regulatory standards. A very general reference to a standard is always better than nothing, and can help unblock situations.
  3. Involve Purchasing (normally always present during meetings with suppliers), and the Business Unit to explain the operational consequences of a particular clause.
    For example, a critical clause that suppliers sometimes refuse is the one concerning notifications in case of a security breach.