FAQs - BT security requirements
The security requirements document is very long, do I have to comply with all of it?
As part of the contract negotiation there will be a condition headed "BT Security Requirements" within this condition you will be advised which parts of the Security Requirements are applicable to the scope of work that you will be undertaking.
I do not think all the sections I have been asked to comply with are applicable, what should I do?
Speak to the procurement buyer who is handling your contract negotiation and provide justification for the sections that you have been asked to comply with that you believe should not be applicable. Procurement will liaise with the BT Security team and we will review the clause sections against the scope of work that will be undertaken to see if we agree to the downgrade of applicable clauses.
I cannot fully comply with all the clauses that are applicable to me what should I do?
Speak to the procurement buyer who is handling your contract negotiation and provide details of your non-compliance and information regarding any mitigations you might have that can lower any risks associated with your non-compliance. Procurement will liaise with the BT security team and we will review the clause sections against the scope of work that will be undertaken and the level of compliance against other clauses. Non-compliances will be noted in th contract so that both parties are clear on the level of compliance that will be achieved to the BT Security Requirements.
I already hold a security certification (e.g.ISO27001, Cyber Essentials plus, ssae16 soc2) why do I need to comply with BT’s Security Requirements?
We have our BT Security requirements to ensure that all Third Parties that require access to:
- BT's property and/or
- Systems/networks/information - (Systems - the services and service components, products, networks, servers, processes, paper based system or IT systems e.g. SharePoint, email, databases)
- Networks - BT owned networks, LANS and WANS
- Information - (means information whether in tangible or any other form, including, without limitation, specifications, reports, data, notes, documentation, drawings, software, policies, procedures, processes, standards, computer outputs, designs, circuit diagrams, models, patterns, samples, inventions, and know-how, and the media upon which such information is supplied.)
Have appropriate controls in place to ensure the security of our property, information (including Personal Data), customers, systems, networks, supplies, products and services.
The BT Security Requirements are derived from controls of ISO27001, BT’s own policies and in order to meet with EUGDPR legislation contains clauses to ensure there are appropriate technical and operational control to protect personal data. The BT Security requirements reflect the way in which our own security regime works and compliance to the security requirements assures us that a Supplier has an equivalent security regime.
I don't understand the full intent of some of the clauses, who can I speak to?
Speak to the procurement buyer who is handling your contract negotiation they will speak to BT Security and arrange a call for you to discuss your concerns.