Supplier management

ISO/IEC 20000-1:2018 Clause 8.3.3 requires you to actively manage suppliers so third-party dependencies do not break service quality: select appropriate suppliers, contract for measurable service targets, monitor performance, and fix poor performance quickly. Operationalize it by building a supplier lifecycle (onboarding → contracting → monitoring → remediation) with clear owners, metrics, and retained evidence.

Key takeaways:

• You need supplier selection criteria plus risk-based due diligence that maps directly to service delivery dependencies.
• Contracts must include service targets and operational hooks (reporting, audit rights, escalation, corrective actions) you can enforce.
• Ongoing monitoring and documented remediation are mandatory; “set-and-forget” supplier files fail audits.

“Supplier management” in ISO/IEC 20000-1 is not a procurement formality. It is a service management control designed to prevent third parties from becoming the weak link in your ability to deliver consistent, high-quality services. Clause 8.3.3 expects a closed-loop system: you choose suppliers that can meet your service needs, you formalize those expectations in contracts with service targets, you monitor performance against those targets, and you take action when performance slips. (ISO/IEC 20000-1:2018 Information technology — Service management)

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalization is to define (1) which suppliers matter to service delivery, (2) what “good” looks like in measurable terms, (3) how you will get performance data, and (4) what you will do when a supplier misses targets. Auditors will look for evidence that this is implemented and repeatable, not aspirational. They will also test whether your remediation actions are real (tickets, root-cause work, contractual enforcement) rather than narrative.

This page gives requirement-level implementation guidance you can put into a working program immediately.

Regulatory text

ISO/IEC 20000-1:2018 Clause 8.3.3 (Supplier management) requires that the organization manage suppliers to ensure delivery of seamless, quality services. The clause explicitly calls out four minimum activities: selecting suppliers, establishing contracts with service targets, monitoring supplier performance, and addressing poor performance. (ISO/IEC 20000-1:2018 Information technology — Service management)

What the operator must do: implement a supplier management process that covers the full lifecycle of suppliers that affect your services. The process must produce enforceable contracts, measurable targets, ongoing oversight, and documented corrective action when suppliers underperform. (ISO/IEC 20000-1:2018 Information technology — Service management)

Plain-English interpretation (what this really means)

If a supplier can impact your ability to deliver an IT service, you must:

1. Choose them deliberately (not just based on cost or speed).
2. Put measurable expectations in writing (service targets tied to your services).
3. Track whether they meet expectations (using evidence, not assurances).
4. Intervene when they don’t (documented actions that improve outcomes or reduce dependency risk).

A “supplier file” alone is not compliance. A contract alone is not compliance. A quarterly business review deck without actions is not compliance. ISO 20000 is testing whether supplier outcomes are managed as part of service management. (ISO/IEC 20000-1:2018 Information technology — Service management)

Who it applies to

In-scope entities

• Service providers delivering services to customers (internal or external).
• Any organization operating an ISO/IEC 20000-1 service management system. (ISO/IEC 20000-1:2018 Information technology — Service management)

In-scope operational context (what “supplier” means here)

Treat “supplier” broadly as any third party that enables, supports, or constrains service delivery, including:

• Cloud/hosting, telecom, managed service providers, SaaS platforms
• Hardware maintenance providers, datacenter vendors
• Critical subcontractors supporting your service desk, field services, NOC/SOC
• Tooling providers for monitoring, ticketing, identity, backups (if they are service-critical)

If a third party’s failure can cause an incident, outage, missed SLA, security exposure that degrades service, or inability to restore service, it belongs in scope for Clause 8.3.3.

What you actually need to do (step-by-step)

Step 1: Build and maintain a service-supplier dependency map

• List your customer-facing and internal services (from your service catalog, if you have one).
• For each service, identify third parties that support delivery (hosting, API providers, telecom, outsourced support).
• Classify suppliers by service criticality: “critical,” “important,” “routine” based on impact to availability, continuity, incident response, and data handling.

Practical tip: Start with your top services and your last major incidents. Suppliers involved in incident timelines are usually your true critical set.

Step 2: Define supplier selection and onboarding criteria (risk-based)

Create selection criteria that reflect service outcomes, such as:

• Ability to meet required service targets (availability, response times, support hours)
• Operational maturity: incident handling, change management, continuity arrangements
• Reporting capability: ability to provide metrics you need for monitoring
• Subcontractor use and dependency transparency

Minimum operational outputs:

• A supplier onboarding checklist aligned to service needs
• Documented approval gates for critical suppliers (service owner + procurement + security/GRC)

Step 3: Put service targets and control hooks into contracts

Contracts must do more than describe pricing and term. For ISO 20000 supplier management, you need service targets and enforcement mechanisms you can use operationally. (ISO/IEC 20000-1:2018 Information technology — Service management)

Include, as applicable:

• Service levels and how they are measured (definitions matter)
• Availability/maintenance windows and notification obligations
• Support model: response and resolution expectations, escalation paths
• Incident notification and collaboration requirements (who, when, how)
• Performance reporting frequency and format
• Right to audit / right to receive independent assurance (as appropriate)
• Corrective action obligations and timelines
• Service continuity commitments (backup, restore, DR participation if required)
• Termination/exit assistance and data return/destruction (where relevant)

Contracting hangup that causes audit findings: service targets exist, but they are not linked to your service needs. Example: your customer SLA is strict, but supplier SLA is weaker with broad exclusions. Auditors will ask how “seamless, quality services” are ensured when upstream commitments don’t support downstream promises. (ISO/IEC 20000-1:2018 Information technology — Service management)

Step 4: Implement supplier performance monitoring with defined metrics and cadence

Set monitoring requirements based on criticality:

• Critical suppliers: operational performance reviews with defined metrics; integrate into service reporting.
• Important suppliers: periodic performance checks; evidence of review and follow-up actions.
• Routine suppliers: basic oversight and issue tracking.

Monitoring should include:

• SLA attainment (as defined in contract)
• Incident volume/severity and responsiveness
• Chronic problem themes and root-cause follow-through
• Change-related impacts and communication quality
• Customer-impacting events tied to supplier performance

Evidence rule: “We meet with them” is weak. “Here are the metrics, review notes, decisions, and action tracking” is strong. (ISO/IEC 20000-1:2018 Information technology — Service management)

Step 5: Address poor performance with a documented remediation path

ISO explicitly requires addressing poor performance. (ISO/IEC 20000-1:2018 Information technology — Service management)

Define a progressive path:

1. Detection: metric breach, incident trend, audit finding, customer escalation
2. Triage: severity, customer impact, workaround status, risk to continuity
3. Corrective action plan (CAP): actions, owners, due dates, success criteria
4. Governance: escalation to supplier management forum; executive escalation when needed
5. Contractual actions: service credits, formal notice, mandated improvement plan
6. Exit decision: if risk remains unacceptable, trigger transition plan

Your remediation process must connect to service management processes (incident, problem, change). A supplier-caused recurring incident should generate a problem record and track permanent corrective actions.

Step 6: Maintain a supplier management register and governance rhythm

Minimum governance elements:

• Named owners: service owner, supplier manager (or procurement), GRC support
• A central supplier register with criticality, contracts, targets, review dates, issues
• A recurring forum (or agenda item) to review critical supplier performance and risks

Tooling note: Many teams track this in spreadsheets until scale breaks. If you need workflow, evidence collection, and reminders tied to control requirements, Daydream can centralize supplier records, contracts, performance evidence, and corrective actions without losing audit traceability.

Required evidence and artifacts to retain

Auditors will sample a set of suppliers and ask for proof across the lifecycle. Keep:

• Supplier inventory/register with service dependency and criticality
• Supplier selection/onboarding records (evaluations, approvals)
• Executed contracts and amendments with service targets
• Defined metrics and performance reports received from the supplier
• Internal review evidence: meeting minutes, QBR notes, decision logs
• Issue tracking: incidents tied to suppliers, escalations, problem records
• Corrective action plans and closure evidence
• Exit/transition plans for critical suppliers (even if not executed)
• Communications artifacts for major issues (notifications, escalations)

Common exam/audit questions and hangups

Expect questions like:

• “Show how you determine which suppliers are critical to service delivery.”
• “Where are service targets documented, and how do they map to your services?”
• “Prove you monitor performance. Who reviews it, and what actions were taken?”
• “Show an example of poor supplier performance and how you addressed it.”
• “How do you ensure subcontractors don’t undermine your service targets?”

Common hangups:

• Contracts exist but lack measurable targets or reporting rights.
• Performance is reviewed informally with no documented outcomes.
• Remediation is ad hoc; no consistent CAP process.
• Supplier inventory is incomplete or not tied to the service catalog.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Managing “vendors” instead of managing service dependencies.
   Fix: start from services and map upstream third parties; align controls to customer outcomes.

2. Mistake: SLAs that cannot be measured.
   Fix: define metrics, time windows, data sources, and dispute handling in the contract.

3. Mistake: Performance reviews with no decisions.
   Fix: require every review to output actions, owners, and due dates, even if the action is “no change.”

4. Mistake: No documented response to chronic underperformance.
   Fix: create a standard CAP template and escalation trigger criteria tied to breaches or trends.

5. Mistake: Procurement-only ownership.
   Fix: give service owners accountability for performance outcomes; procurement supports contracting and commercial enforcement.

Risk implications (why auditors care)

Weak supplier management shows up as:

• Repeated incidents with slow resolution because escalation paths are unclear
• Missed customer SLAs because upstream commitments are weaker than downstream promises
• Poor quality changes from third parties causing outages
• Limited ability to force improvement because the contract lacks enforceable targets and reporting

Clause 8.3.3 is designed to prevent these operational failures by making supplier performance a managed input into service quality. (ISO/IEC 20000-1:2018 Information technology — Service management)

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

• Build a supplier register for service-impacting third parties.
• Identify critical suppliers by mapping them to your highest-impact services.
• Collect existing contracts and confirm whether service targets and reporting exist.
• Stand up a basic performance review template and meeting cadence for critical suppliers.

By 60 days (contract and monitoring operating rhythm)

• Update onboarding/selection checklist and approval workflow for critical suppliers.
• Define standard contract clauses: service targets, reporting, escalation, corrective actions.
• Start collecting performance evidence (reports, dashboards, meeting notes).
• Create a remediation playbook and CAP template; train service owners on triggers.

By 90 days (prove control effectiveness)

• Run at least one full cycle: performance review → actions → closure evidence for each critical supplier.
• Test an escalation path with a tabletop exercise for a critical supplier outage scenario.
• Produce an audit-ready pack per sampled supplier: selection, contract targets, monitoring, remediation.
• Decide whether to implement a system of record (for example, Daydream) to manage evidence, reminders, and audit trails at scale.

Frequently Asked Questions

Do we have to monitor every supplier the same way?

No. Clause 8.3.3 requires supplier management that ensures service quality, so monitoring should be risk-based and tied to service criticality. You do need a consistent method to decide the level of oversight and to prove it was followed. (ISO/IEC 20000-1:2018 Information technology — Service management)

What counts as “service targets” in a contract?

Measurable commitments that affect service delivery, such as availability definitions, support response expectations, reporting obligations, and escalation timelines. Targets should be written so you can verify performance with data you can obtain. (ISO/IEC 20000-1:2018 Information technology — Service management)

If a supplier is a monopoly provider (telecom, utility), how do we “select” them?

Document the constraint and focus on managing what you can control: contract terms, redundancy options, monitoring, and tested escalation paths. Selection evidence can show evaluation of alternatives and compensating controls where choice is limited. (ISO/IEC 20000-1:2018 Information technology — Service management)

Can we meet the requirement if procurement owns supplier management?

Only if service management requirements are embedded into procurement’s process and service owners actively review performance and remediation. Auditors will test whether operational teams can enforce targets and resolve poor performance, not just whether contracts exist. (ISO/IEC 20000-1:2018 Information technology — Service management)

What evidence is most persuasive in an ISO 20000 audit?

A supplier-level packet that shows the lifecycle: selection decision, contract with service targets, performance metrics reviewed on a cadence, and at least one documented example of issue handling or corrective action. Evidence should connect supplier performance to service outcomes. (ISO/IEC 20000-1:2018 Information technology — Service management)

How do we handle suppliers that won’t provide metrics or accept audit rights?

Treat it as a risk decision. Document the gap, attempt negotiation, add compensating monitoring (synthetic monitoring, incident trend analysis), and define exit options if the lack of transparency threatens service quality. (ISO/IEC 20000-1:2018 Information technology — Service management)