DraftInternalISO 27001
SW-ISMS-FRM-014
Supplier Performance Review Template
Version
1.0
Owner
CISO
Effective Date
2024-01-15
Review Date
2025-01-15
Supplier Performance Review Template
Purpose
This form documents the ongoing performance review of suppliers, focusing on service delivery, SLA compliance, security posture, and incident management. Regular reviews ensure suppliers continue to meet Swedwise's requirements and security standards.
Instructions
- Conduct reviews at the frequency defined by risk tier (Tier 1: annual, Tier 2: annual, Tier 3: biennial, Tier 4: triennial)
- Collect data from monitoring, SLA reports, incident records, and business feedback
- Meet with supplier to discuss performance (optional but recommended for Tier 1-2)
- Document findings, issues, and improvement actions
- Update risk tier if supplier performance or data access changes
- Escalate significant issues to CISO and business owner
- Retain with supplier contract and security documentation
Section 1: Review Information
| Field | Information |
|---|---|
| Review ID | |
| Review Period | From: __________ To: __________ |
| Review Date | |
| Review Type | ☐ Annual ☐ Biennial ☐ Triennial ☐ Post-Incident ☐ Ad-hoc |
| Reviewer Name | |
| Reviewer Title |
Section 2: Supplier Information
| Field | Information |
|---|---|
| Supplier Name | |
| Supplier Contact | |
| Service/Product | |
| Contract Start Date | |
| Contract End Date | |
| Contract Value | SEK __________ (annually) |
| Current Risk Tier | ☐ Tier 1 (Critical) ☐ Tier 2 (High) ☐ Tier 3 (Medium) ☐ Tier 4 (Low) |
| Business Owner | (Swedwise department/person) |
Previous Assessment
| Field | Information |
|---|---|
| Last Review Date | |
| Previous Overall Rating | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory |
| Previous Issues |
Section 3: Service Delivery Performance
SLA Metrics
Availability/Uptime:
| Metric | SLA Target | Actual Performance | Met? | Comments |
|---|---|---|---|---|
| Service Availability | ☐ Yes ☐ No | |||
| Planned Downtime | ☐ Yes ☐ No | |||
| Unplanned Downtime | ☐ Yes ☐ No |
Total Downtime this period: _____ hours/minutes
Number of service outages: _____
Response and Resolution Times
| Metric | SLA Target | Actual Average | Met? | Comments |
|---|---|---|---|---|
| Initial Response Time | ☐ Yes ☐ No | |||
| Resolution Time (P1) | ☐ Yes ☐ No | |||
| Resolution Time (P2) | ☐ Yes ☐ No | |||
| Resolution Time (P3) | ☐ Yes ☐ No |
Service Quality
| Quality Metric | Target | Actual | Met? |
|---|---|---|---|
| Data Accuracy | ☐ Yes ☐ No | ||
| Transaction Success Rate | ☐ Yes ☐ No | ||
| Response Time (performance) | ☐ Yes ☐ No | ||
| Error Rate | ☐ Yes ☐ No |
SLA Compliance Summary
Overall SLA Compliance: _____%
SLA Credits Issued: ☐ Yes (SEK _______) ☐ No
Service delivery rating:
- ☐ Excellent (>99% SLA compliance, exceeds expectations)
- ☐ Good (95-99% compliance, meets expectations)
- ☐ Satisfactory (90-94% compliance, acceptable with some issues)
- ☐ Needs Improvement (80-89% compliance, notable gaps)
- ☐ Unsatisfactory (<80% compliance, significant failures)
Section 4: Security and Compliance Performance
Security Incidents
Security incidents involving this supplier during review period:
| Date | Incident Type | Severity | Impact to Swedwise | Resolution | Satisfactory? |
|---|---|---|---|---|---|
| ☐ P1 ☐ P2 ☐ P3 ☐ P4 | ☐ Yes ☐ No | ||||
| ☐ P1 ☐ P2 ☐ P3 ☐ P4 | ☐ Yes ☐ No | ||||
| ☐ P1 ☐ P2 ☐ P3 ☐ P4 | ☐ Yes ☐ No |
Total incidents: _____
Any P1/P2 incidents affecting customer data? ☐ Yes ☐ No
If Yes, was Swedwise notified within SLA? ☐ Yes ☐ No
Incident Notification and Response
Incident notification performance:
- ☐ All incidents reported within agreed timeframe
- ☐ Most incidents reported on time (minor delays)
- ☐ Significant delays in incident reporting
- ☐ Incidents discovered by Swedwise, not reported by supplier
Incident response effectiveness:
- ☐ Excellent - Swift, thorough, transparent
- ☐ Good - Adequate response and communication
- ☐ Satisfactory - Acceptable but slow or incomplete
- ☐ Poor - Inadequate response or lack of communication
Security Certifications and Audits
Current certifications:
| Certification | Status | Expiry Date | Renewed/Verified? |
|---|---|---|---|
| ISO/IEC 27001 | ☐ Active ☐ Expired ☐ N/A | ☐ Yes ☐ No | |
| SOC 2 Type II | ☐ Active ☐ Expired ☐ N/A | ☐ Yes ☐ No | |
| Other: | ☐ Active ☐ Expired ☐ N/A | ☐ Yes ☐ No |
Any certifications lapsed or not renewed? ☐ Yes (concern) ☐ No
New certifications obtained? ☐ Yes: _____________ ☐ No
Compliance Status
Regulatory compliance:
- ☐ GDPR compliance maintained
- ☐ All required Data Processing Agreements (DPAs) in place
- ☐ Subprocessor notifications provided (if applicable)
- ☐ Data location restrictions respected
- ☐ No compliance violations or concerns
Any compliance violations or concerns?
[Document any compliance issues]
Security Posture Changes
Significant changes to supplier's security posture:
- ☐ Security improvements implemented (describe below)
- ☐ Security degradation or concerns (describe below)
- ☐ No significant changes
Details:
[Describe any changes in security practices, certifications, or concerns]
Does security questionnaire need to be re-issued? ☐ Yes ☐ No
Security Performance Rating
- ☐ Excellent (No incidents, strong security, certifications current)
- ☐ Good (Minor incidents only, good security practices)
- ☐ Satisfactory (Some concerns but adequately managed)
- ☐ Needs Improvement (Notable security issues or gaps)
- ☐ Unsatisfactory (Significant security failures or breaches)
Section 5: Contract and Financial Performance
Contract Compliance
Contractual obligations:
| Obligation | Compliance | Comments |
|---|---|---|
| Deliverables met | ☐ Yes ☐ No ☐ Partial | |
| Security requirements met | ☐ Yes ☐ No ☐ Partial | |
| Reporting requirements met | ☐ Yes ☐ No ☐ Partial | |
| Audit rights respected | ☐ Yes ☐ No ☐ N/A | |
| Insurance maintained | ☐ Yes ☐ No ☐ N/A |
Any contract breaches or disputes? ☐ Yes ☐ No
If Yes, describe:
[Describe any contract issues]
Financial Performance
| Metric | Information |
|---|---|
| Invoicing accuracy | ☐ Accurate ☐ Issues identified |
| Pricing changes | ☐ No changes ☐ Changes (describe): _____________ |
| Value for money | ☐ Excellent ☐ Good ☐ Fair ☐ Poor |
| Hidden costs or overages | ☐ None ☐ Identified (describe): _____________ |
Cost vs. budgeted amount: ☐ On budget ☐ Under budget ☐ Over budget (____%)
Section 6: Relationship and Communication
Communication Quality
Responsiveness:
- ☐ Excellent - Always responsive, proactive communication
- ☐ Good - Usually responsive, adequate communication
- ☐ Satisfactory - Acceptable but sometimes slow
- ☐ Poor - Often unresponsive or reactive only
Account management:
- ☐ Dedicated account manager assigned
- ☐ Regular check-ins and business reviews
- ☐ Responsive to requests and concerns
- ☐ Proactive recommendations and improvements
Technical support quality:
- ☐ Excellent - Knowledgeable, helpful, timely
- ☐ Good - Generally competent and helpful
- ☐ Satisfactory - Adequate but inconsistent
- ☐ Poor - Often inadequate or unhelpful
Business Relationship
Overall relationship quality:
- ☐ Excellent - True partner, adds value beyond contract
- ☐ Good - Collaborative, works well together
- ☐ Satisfactory - Professional but transactional
- ☐ Poor - Difficult to work with, strained relationship
Escalation handling:
- ☐ Escalations handled effectively and professionally
- ☐ Escalations sometimes needed but resolved
- ☐ Escalations frequently needed, poorly handled
Section 7: Issues and Improvements
Issues Identified
Significant issues during review period:
| # | Issue Description | Severity | Impact | Supplier Response | Resolved? |
|---|---|---|---|---|---|
| 1 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No ☐ Ongoing | |||
| 2 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No ☐ Ongoing | |||
| 3 | ☐ Critical ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No ☐ Ongoing |
Are there any unresolved critical or high severity issues? ☐ Yes ☐ No
Improvement Areas
What improvements should the supplier make?
| Improvement Area | Priority | Target Date | Supplier Commitment |
|---|---|---|---|
| ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No | ||
| ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No | ||
| ☐ High ☐ Medium ☐ Low | ☐ Yes ☐ No |
Positive Aspects
What has the supplier done well?
[Highlight positive performance, innovations, or above-and-beyond service]
Section 8: Business Owner Feedback
Business User Satisfaction
| Aspect | Rating | Comments |
|---|---|---|
| Service quality | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Poor | |
| Reliability | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Poor | |
| Support | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Poor | |
| Value | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Poor | |
| Overall satisfaction | ☐ Very satisfied ☐ Satisfied ☐ Neutral ☐ Dissatisfied ☐ Very dissatisfied |
Would you recommend this supplier to other departments? ☐ Yes ☐ Maybe ☐ No
Business owner comments:
[Business owner's assessment of supplier performance and value]
Section 9: Overall Performance Assessment
Performance Summary
| Category | Weight | Rating | Weighted Score | Notes |
|---|---|---|---|---|
| Service Delivery | 30% | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory | ||
| Security/Compliance | 30% | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory | ||
| Contract/Financial | 20% | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory | ||
| Relationship/Communication | 20% | ☐ Excellent ☐ Good ☐ Satisfactory ☐ Needs Improvement ☐ Unsatisfactory |
Scoring:
- Excellent = 5 points
- Good = 4 points
- Satisfactory = 3 points
- Needs Improvement = 2 points
- Unsatisfactory = 1 point
Total Weighted Score: _____ / 5.0
Overall Performance Rating
- ☐ Excellent (4.5-5.0) - Exceeds expectations, exemplary performance
- ☐ Good (3.5-4.4) - Meets expectations, solid performance
- ☐ Satisfactory (2.5-3.4) - Acceptable performance, some improvement needed
- ☐ Needs Improvement (1.5-2.4) - Notable gaps, improvement plan required
- ☐ Unsatisfactory (<1.5) - Significant failures, consider termination
Trend compared to previous review:
- ☐ Improving - Performance has improved since last review
- ☐ Stable - Performance consistent with last review
- ☐ Declining - Performance has deteriorated since last review
- ☐ N/A - First review
Section 10: Actions and Recommendations
Required Actions
Actions required from supplier:
| Action | Priority | Owner | Due Date | Status |
|---|---|---|---|---|
| ☐ Critical ☐ High ☐ Medium | ☐ Assigned ☐ In Progress ☐ Complete | |||
| ☐ Critical ☐ High ☐ Medium | ☐ Assigned ☐ In Progress ☐ Complete | |||
| ☐ Critical ☐ High ☐ Medium | ☐ Assigned ☐ In Progress ☐ Complete |
Actions required from Swedwise:
| Action | Priority | Owner | Due Date | Status |
|---|---|---|---|---|
| ☐ High ☐ Medium ☐ Low | ☐ Assigned ☐ In Progress ☐ Complete | |||
| ☐ High ☐ Medium ☐ Low | ☐ Assigned ☐ In Progress ☐ Complete |
Risk Tier Recommendation
Should the risk tier be adjusted?
- ☐ No change - Risk tier remains: Tier _____
- ☐ Yes - Increase to Tier _____ (reason): _______________________
- ☐ Yes - Decrease to Tier _____ (reason): _______________________
Justification for tier change:
[Explain why tier should change based on performance or changed circumstances]
Contract Recommendation
Contract continuation recommendation:
- ☐ Continue - Renew/extend contract as planned
- ☐ Continue with Conditions - Renew with improvements required
- ☐ Renegotiate - Significant terms need renegotiation
- ☐ Transition to Alternative - Begin migration to another supplier
- ☐ Terminate - End relationship at contract end or sooner
If Continue with Conditions, specify conditions:
[List conditions for contract renewal]
If Transition or Terminate, specify reason and timeline:
[Explain reason for change and proposed transition plan]
Section 11: Review Sign-Off
Reviewer Certification
I certify that this review accurately reflects the supplier's performance during the review period and that the recommendations are based on objective assessment of service delivery, security posture, and business value.
| Reviewer Name | |
| Reviewer Title | |
| Signature | |
| Date | |
Approval and Actions
| Role | Name | Signature | Date | Decision/Action |
|---|---|---|---|---|
| Business Owner | ☐ Approve ☐ Request Changes | |||
| CISO (Tier 1-2) | ☐ Approve ☐ Request Changes | |||
| Management (if termination) | ☐ Approve ☐ Discuss |
Section 12: Follow-Up and Next Review
Next Review
| Field | Information |
|---|---|
| Next Review Type | ☐ Annual ☐ Biennial ☐ Triennial ☐ Post-Incident |
| Next Review Due | |
| Responsible Reviewer |
Interim Check-Ins
Scheduled interim check-ins (for Tier 1-2 or if issues identified):
| Check-In Date | Purpose | Responsible |
|---|---|---|
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Initial review |
Quick Reference - Review Frequency by Tier
| Risk Tier | Review Frequency | Minimum Assessment Components |
|---|---|---|
| Tier 1 - Critical | Annual | Full performance review + security reassessment + business review meeting |
| Tier 2 - High | Annual | Full performance review + security questionnaire update |
| Tier 3 - Medium | Biennial (every 2 years) | Performance review + spot-check security |
| Tier 4 - Low | Triennial (every 3 years) | Basic performance review |
Notes
[Additional notes, observations, or context]
Attachments
Supporting documentation:
- ☐ SLA reports
- ☐ Incident summaries
- ☐ Updated security questionnaire (if applicable)
- ☐ Audit or certification documents
- ☐ Corrective action plans
- ☐ Meeting notes
- ☐ Contract amendments (if any)
Attachment location: ___________________________________________________________
Contact Information
For supplier performance questions:
- Supplier Management: supplier-security@swedwise.se
- CISO: [Contact details]
- Procurement: [Contact details]
- Business Owner: [Contact per supplier]