SW
Swedwise
[User Login]
← Back to IMS Documents
DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-POL-002

Procurement and Asset Acquisition Policy

Version

1.0

Owner

CEO

Effective Date

TBD

Review Date

TBD

Procurement and Asset Acquisition Policy

1. Purpose

This policy establishes Swedwise AB's approach to procuring goods and services, acquiring IT assets, and managing supplier relationships. It ensures procurement decisions support quality objectives, environmental sustainability, information security, and value for money while meeting ISO 9001, ISO 14001, and ISO 27001 requirements.

2. Scope

This policy applies to:

  • All procurement of goods and services by Swedwise AB
  • IT hardware and equipment (computers, servers, network equipment, mobile devices)
  • Software licenses and subscriptions (SaaS, cloud services, productivity tools)
  • Cloud services and infrastructure (Azure, AWS, hosting services)
  • Professional services (consultants, contractors, specialist services)
  • Office supplies and consumables
  • Facilities and office equipment
  • Third-party services supporting SaaS operations (data center, monitoring, security)
  • All staff authorized to make procurement decisions
  • All locations (Karlstad HQ, Stockholm, Uddevalla offices)

3. Procurement Objectives

Swedwise commits to:

  1. Value for Money: Obtain best value considering total cost of ownership, quality, and service
  2. Quality Assurance: Ensure procured goods and services meet requirements and standards
  3. Security: Assess and mitigate information security risks from suppliers and products
  4. Sustainability: Minimize environmental impact of procurement decisions
  5. Supplier Relationships: Establish mutually beneficial relationships with reliable suppliers
  6. Compliance: Meet legal, regulatory, and contractual procurement obligations
  7. Efficiency: Streamline procurement processes while maintaining appropriate controls

Procurement Principles

  • Needs-Based: Procure based on genuine business need, not convenience
  • Risk-Proportionate: Apply controls proportionate to value and risk
  • Competitive: Seek competitive pricing while valuing quality and reliability
  • Transparent: Document decisions and maintain clear procurement records
  • Ethical: Conduct procurement with integrity and avoid conflicts of interest

4. Management Commitment

Swedwise management commits to:

  • Provide clear procurement authority and approval thresholds
  • Support sustainable and secure procurement practices
  • Allocate adequate resources for supplier evaluation and management
  • Review procurement performance and supplier relationships
  • Lead by example in following procurement policies
  • Balance cost considerations with quality, security, and environmental objectives

5. Policy Statements

5.1 Procurement Authority and Approval

Procurement decisions require approval based on value thresholds:

Purchase Value (SEK) Approval Authority Additional Requirements
< 5,000 Department manager None
5,000 - 25,000 Department head Budget confirmation
25,000 - 100,000 Management team member Competitive quotes (3), business case
> 100,000 CEO Competitive quotes (3+), formal business case, supplier evaluation
> 500,000 CEO + Board (if applicable) Detailed business case, due diligence, contract review

Notes:

  • Thresholds apply to single purchase or committed contract value (annual or total)
  • Recurring subscriptions evaluated on annual value
  • Budget holders may approve within budget and authority level
  • Emergency procurements follow expedited process but require post-approval review

Exceptions:

  • Standard IT equipment procurement (laptops, monitors) per approved specifications
  • Renewal of existing contracts with approved suppliers (within agreed terms)
  • Pre-approved supplier relationships with framework agreements

5.2 Procurement Process

Needs Identification

Requestor Responsibilities:

  • Define clear requirements (functional, technical, performance)
  • Justify business need
  • Consider environmental and security requirements
  • Identify budget source
  • Specify urgency and timing

Manager Responsibilities:

  • Validate business need and priority
  • Confirm budget availability
  • Assess alignment with business strategy
  • Approve or reject request

Supplier Selection

Sourcing Approach:

For Low-Value Purchases (< 25,000 SEK):

  • Single supplier acceptable if:
    • Established supplier relationship
    • Reasonable pricing
    • Meets requirements

For Medium-Value Purchases (25,000 - 100,000 SEK):

  • Minimum 3 competitive quotes (where practical)
  • Document rationale if fewer quotes obtained
  • Evaluate on price, quality, delivery, support

For High-Value Purchases (> 100,000 SEK):

  • Formal RFQ or RFP process
  • Minimum 3 suppliers invited
  • Evaluation criteria defined upfront
  • Formal evaluation and decision documentation
  • Supplier assessment (quality, security, environmental practices)

Supplier Evaluation Criteria:

  • Price and total cost of ownership
  • Quality of goods/services
  • Delivery capability and reliability
  • Financial stability
  • References and reputation
  • Information security practices (for IT and service providers)
  • Environmental management and sustainability
  • Contractual terms and flexibility
  • Support and warranty provisions

Contract and Order

Contract Requirements:

All contracts and purchase orders include:

  • Clear scope of goods/services
  • Pricing, payment terms, and any recurring costs
  • Delivery or service timeline
  • Quality standards and acceptance criteria
  • Warranties and guarantees
  • Support and maintenance terms (if applicable)
  • Confidentiality and data protection requirements (for service providers)
  • Termination and exit provisions
  • Liability and indemnification
  • Intellectual property rights (for software/development)

Standard Contracts:

  • Standard terms and conditions maintained for common procurements
  • Reviewed by [TBD - legal advisor/CEO] before use
  • Deviations from standard terms require approval

High-Value Contracts:

  • Legal review recommended for contracts > 250,000 SEK
  • Negotiation strategy approved by management
  • Risk assessment before signing

Receipt and Acceptance

Goods Receipt:

  • Verify goods match order (quantity, specification)
  • Inspect for damage or defects
  • Test functionality before acceptance
  • Document receipt in [TBD - inventory system, finance system]

Service Acceptance:

  • Confirm service delivery meets requirements
  • Obtain acceptance sign-off from service owner
  • Address any deficiencies before payment

Payment:

  • Authorize payment only after satisfactory receipt/acceptance
  • Process invoices according to payment terms
  • Maintain records for accounting and audit

5.3 IT Asset Procurement

Specific requirements for IT equipment and software:

Hardware Standards

Employee Devices:

  • Standard laptop model: [TBD - e.g., Dell Latitude series, Lenovo ThinkPad]
  • Specifications: [TBD - minimum CPU, RAM, storage]
  • Mobile devices: [TBD - iPhone, Android, approved models]
  • Peripherals: [TBD - monitors, keyboards, docking stations]

Server and Infrastructure:

  • Preference for cloud/virtualization over physical hardware
  • Physical servers only when justified (cost, performance, compliance)
  • Specifications aligned with capacity requirements
  • Redundancy and availability considerations

Sustainability Considerations:

  • Energy efficiency (Energy Star, TCO certified)
  • Recyclability and end-of-life disposal options
  • Manufacturer environmental practices
  • Longevity and repairability

Security Considerations:

  • TPM 2.0 for endpoints
  • Full disk encryption support
  • Security update support timeline
  • Manufacturer security practices and track record

Software and Licensing

Software Procurement:

  • Preference for cloud/SaaS over on-premises where practical
  • Evaluate total cost of ownership (licensing, maintenance, support)
  • Assess vendor viability and roadmap
  • Check compatibility with existing systems

Licensing Compliance:

  • Maintain accurate license inventory
  • Avoid over-licensing or under-licensing
  • Consolidate licenses for volume discounts where possible
  • Track renewal dates and costs

Open Source Software:

  • Acceptable for use when:
    • Actively maintained with security updates
    • Compatible license (MIT, Apache, BSD, GPL reviewed for terms)
    • Community or commercial support available
    • Evaluated for security vulnerabilities
  • Document open source usage for compliance and security tracking

Security Assessment:

For all software and SaaS services:

  • Vendor security practices (security certifications, track record)
  • Data handling and privacy (GDPR compliance, data location)
  • Authentication and access control capabilities
  • Encryption (data in transit and at rest)
  • Audit logging and monitoring
  • Backup and recovery capabilities
  • Vendor security incident history
  • Third-party security assessments (if available)

Formal security assessment required for:

  • Software handling confidential or restricted data
  • Services with access to Swedwise systems or networks
  • SaaS platforms with customer data
  • High-value or critical services

Cloud Service Procurement

Cloud Service Evaluation:

Technical Criteria:

  • Service availability and SLA (target 99.9%+)
  • Performance (latency, throughput)
  • Scalability and flexibility
  • Integration capabilities (APIs, connectors)
  • Backup and disaster recovery
  • Geographic regions and data residency

Security Criteria:

  • Security certifications (ISO 27001, SOC 2, etc.)
  • Data encryption (in transit and at rest)
  • Network security (firewall, segmentation, DDoS protection)
  • Identity and access management (SSO, MFA)
  • Compliance support (GDPR, industry regulations)
  • Incident response and notification
  • Security monitoring and logging

Compliance and Legal:

  • Data processing agreement (DPA) for personal data
  • Data location and jurisdiction
  • Subprocessor disclosure and approval
  • Audit rights and transparency
  • Exit strategy and data portability

Preferred Cloud Providers:

  • Primary: Microsoft Azure (existing investment, Microsoft 365 integration)
  • Secondary: [TBD - AWS, Google Cloud] for specific use cases
  • Specialty: [TBD - niche providers for specific needs]

5.4 SaaS and Service Provider Management

For suppliers supporting SaaS operations or handling customer data:

Supplier Security Assessment

Pre-Engagement Assessment:

  • Security questionnaire or certification review
  • Data handling practices
  • Subcontractor disclosure
  • Incident response capability
  • Compliance with relevant standards (ISO 27001, SOC 2)

Due Diligence for Critical Suppliers:

  • Detailed security assessment or audit
  • Reference checks with similar customers
  • Contract security terms negotiation
  • Ongoing security monitoring provisions

Examples:

  • Entiros AB (data center): Critical supplier, comprehensive security review
  • OpenText (software licensing): Established vendor, certifications reviewed
  • Monitoring/security services: Security assessment required

Supplier Agreements

Service Level Agreements (SLAs):

  • Availability commitments (uptime %)
  • Performance metrics (response time, throughput)
  • Support response times
  • Escalation procedures
  • Penalties or remedies for non-performance

Security and Compliance Clauses:

  • Information security obligations
  • Data protection and privacy compliance (GDPR)
  • Right to audit or assessment
  • Incident notification requirements
  • Subcontractor management
  • Insurance requirements

Exit and Termination:

  • Termination notice periods
  • Data return or destruction
  • Transition assistance
  • Post-termination obligations

5.5 Environmental Sustainability in Procurement

Swedwise integrates environmental considerations into procurement:

Product Selection

Environmental Criteria:

  • Energy efficiency and consumption
  • Recyclable materials and design
  • Hazardous substance reduction (RoHS, REACH)
  • Packaging and shipping impact
  • Manufacturer environmental certifications (ISO 14001, eco-labels)
  • Product lifespan and durability

Preference Hierarchy:

  1. Reduce: Avoid unnecessary procurement, reuse existing assets
  2. Efficient: Select energy-efficient and durable products
  3. Responsible: Choose vendors with strong environmental practices
  4. Recycle: Ensure end-of-life recycling and responsible disposal

Supplier Environmental Performance

For significant suppliers:

  • Environmental policy and management system
  • Carbon footprint and reduction initiatives
  • Waste management and recycling programs
  • Compliance with environmental regulations
  • Transparency and environmental reporting

Preferential consideration for suppliers with:

  • ISO 14001 certification
  • Science-based carbon reduction targets
  • Circular economy practices

Green IT Practices

Cloud First:

  • Leverage cloud providers' scale and efficiency (Azure, Microsoft 365)
  • Avoid on-premises infrastructure when cloud alternative exists
  • Benefit from provider's renewable energy investments

Lifecycle Management:

  • Extend device lifespan through maintenance and upgrades
  • Refurbish and redeploy where possible
  • Responsible recycling through certified e-waste handlers
  • Data destruction before disposal (security and privacy)

Sustainable Operations:

  • Default to double-sided printing, digital workflows
  • Energy-efficient office equipment (Energy Star)
  • Reduce consumable waste (rechargeable batteries, refillable supplies)

5.6 Supplier Relationship Management

Ongoing management of supplier relationships:

Supplier Categorization

Category Description Management Approach
Critical Service failure significantly impacts business (Entiros, OpenText, Microsoft) Formal SLA, quarterly reviews, escalation contacts, risk monitoring
Important Supports key operations, alternatives available SLA or service terms, annual review, performance monitoring
Standard Routine goods/services, easily replaced Transactional relationship, periodic pricing review

Supplier Performance Monitoring

Performance Metrics:

  • Delivery/service quality (defects, errors, rework)
  • Timeliness (on-time delivery, SLA compliance)
  • Responsiveness (issue resolution, communication)
  • Innovation and improvement (proactive suggestions, partnership)
  • Compliance (contractual terms, security, environmental)

Review Frequency:

  • Critical suppliers: Quarterly
  • Important suppliers: Semi-annually or annually
  • Standard suppliers: As needed or periodic spot checks

Performance Issues:

  • Document issues and communicate with supplier
  • Develop corrective action plans
  • Escalate if no improvement
  • Consider alternative suppliers for persistent issues

Supplier Reviews

Formal supplier reviews include:

  • Performance against SLAs and commitments
  • Quality, security, environmental performance
  • Commercial terms (pricing, contract status)
  • Risks and issues
  • Future plans and changes
  • Continuous improvement opportunities

Document review outcomes and actions in [TBD - supplier management system or register].

5.7 Procurement Records and Documentation

Maintain records to support transparency, audit, and continuous improvement:

Procurement Documentation:

  • Purchase requests and approvals
  • Supplier evaluations and selection rationale
  • Contracts and purchase orders
  • Quotes and proposals
  • Acceptance and receipt records
  • Invoices and payment records
  • Supplier performance evaluations

Retention:

  • Active contracts: Duration of contract + [TBD - e.g., 3 years]
  • Financial records: Per legal and tax requirements
  • Supplier evaluations: [TBD - e.g., 5 years]

Access:

  • Procurement records accessible to authorized staff
  • Finance, audit, and management have access as needed
  • Support internal audits and external assessments

5.8 Conflict of Interest and Ethics

Procurement conducted with integrity and transparency:

Conflict of Interest:

  • Staff disclose any personal or financial interest in suppliers
  • Recuse themselves from procurement decisions where conflict exists
  • Management reviews and approves exceptions if business need justifies

Gifts and Hospitality:

  • Staff do not accept gifts or hospitality that could influence procurement decisions
  • Nominal gifts (< [TBD - e.g., 500 SEK]) acceptable if disclosed
  • Hospitality acceptable if reasonable, business-related, and disclosed
  • Gifts and hospitality register maintained by [TBD - HR/Management]

Fair Dealing:

  • Treat all suppliers fairly and equitably
  • Maintain confidentiality of supplier information
  • Provide clear and honest information in RFQs/RFPs
  • Honor commitments and contractual terms

5.9 Emergency and Urgent Procurement

Situations requiring urgent procurement (service outage, critical failure, security incident):

Expedited Process:

  • Obtain verbal approval from authorized manager
  • Document urgency and justification
  • Procure from known/trusted supplier if possible
  • Formalize approval and documentation within [TBD - e.g., 5 business days]

Emergency Purchases:

  • May exceed approval authority if necessary to prevent significant business impact
  • Notify management immediately
  • Retrospective approval and documentation required
  • Post-incident review to assess if emergency could have been prevented

5.10 Procurement Training and Competence

Staff involved in procurement are equipped with necessary knowledge:

  • Managers with Approval Authority: Training on this policy, approval thresholds, evaluation criteria
  • Procurement Coordinators (if appointed): Supplier evaluation, contract management, procurement systems
  • IT Staff: IT asset procurement, software licensing, cloud service evaluation, security assessment
  • All Staff: Basic procurement principles, how to submit requests, prohibited practices

Training provided during onboarding and updated when policy changes.

6. Roles and Responsibilities

Chief Executive Officer (CEO)

Responsibilities:

  • Approve high-value procurements (> 100,000 SEK)
  • Review supplier performance for critical suppliers
  • Set overall procurement strategy and priorities
  • Approve exceptions to procurement policy
  • Ensure adequate budget for procurement needs

Management Team / Department Heads

Responsibilities:

  • Approve procurements within authority level
  • Manage department procurement budgets
  • Ensure staff follow procurement procedures
  • Participate in supplier selection for significant procurements
  • Review supplier performance for their area
  • Identify needs and plan procurements

Chief Information Security Officer (CISO)

Assigned to: [TBD]

Responsibilities:

  • Approve IT and security-related procurements
  • Conduct or review security assessments of IT suppliers and cloud services
  • Maintain approved software and service lists
  • Advise on security requirements in procurement
  • Monitor supplier security performance

Environmental Lead

Assigned to: [TBD]

Responsibilities:

  • Advise on environmental criteria in procurement
  • Assess supplier environmental performance
  • Promote sustainable procurement practices
  • Monitor environmental impact of procurement decisions

Finance / Administration

Assigned to: [TBD]

Responsibilities:

  • Process purchase orders and invoices
  • Maintain procurement records and documentation
  • Monitor procurement spending and budget compliance
  • Coordinate contract renewals and expiry tracking
  • Provide procurement reporting and analysis

Procurement Coordinator (if appointed)

Assigned to: [TBD - optional role for larger procurements]

Responsibilities:

  • Coordinate procurement processes (RFQ/RFP)
  • Support supplier evaluation and selection
  • Maintain supplier information and contracts
  • Facilitate supplier reviews and performance monitoring
  • Provide procurement advice and training

All Staff

Responsibilities:

  • Submit procurement requests through approved channels
  • Provide clear and accurate requirements
  • Follow procurement procedures and approval thresholds
  • Do not make unauthorized purchases
  • Disclose any conflicts of interest
  • Treat suppliers professionally and ethically

7. Procurement Governance

Procurement Planning

  • Annual procurement planning aligned with budget process
  • Identify significant or strategic procurements for the year
  • Plan for contract renewals and expirations
  • Coordinate across departments to leverage volume or standardization

Management Review

Procurement performance reviewed in management reviews, including:

  • Procurement spending and budget adherence
  • Supplier performance (SLAs, issues, risks)
  • Security and environmental performance of suppliers
  • Procurement policy compliance
  • Opportunities for cost savings or efficiency improvements
  • Strategic supplier relationships

Continuous Improvement

Procurement processes improved through:

  • Lessons learned from procurement experiences
  • Supplier feedback and collaboration
  • Benchmarking and industry best practices
  • Audit findings and recommendations
  • Emerging risks or requirements (security, environmental, regulatory)

8. Review and Update

This policy is:

  • Reviewed at least annually by [TBD - CEO, CISO, or designated lead]
  • Updated when significant changes occur in:
    • Business operations or procurement needs
    • Supplier landscape or strategic relationships
    • Legal, regulatory, or contractual requirements
    • Technology or service offerings
    • Organizational structure or approval authorities
  • Approved by CEO
  • Communicated to all staff following updates

Policies:

  • SW-IMS-POL-001: Integrated Management System Policy
  • SW-ISMS-POL-001: Information Security Policy
  • SW-EMS-POL-001: Environmental Policy
  • [TBD - SW-IMS-POL-XXX: Supplier Management Policy]
  • [TBD - SW-ISMS-POL-XXX: Data Protection and Privacy Policy]

Procedures:

  • [TBD - SW-IMS-PRO-XXX: Procurement Procedure]
  • [TBD - SW-IMS-PRO-XXX: Supplier Evaluation and Management Procedure]
  • [TBD - SW-ISMS-PRO-XXX: Supplier Security Assessment Procedure]
  • [TBD - SW-IMS-PRO-XXX: Contract Management Procedure]
  • [TBD - SW-IMS-PRO-XXX: Asset Management Procedure]

Templates:

  • [TBD - Purchase Request Form]
  • [TBD - Supplier Evaluation Template]
  • [TBD - RFQ/RFP Template]
  • [TBD - Supplier Security Questionnaire]
  • [TBD - Standard Contract Terms]

Supporting Documents:

  • [TBD - Approved Supplier List]
  • [TBD - IT Asset Standards and Specifications]
  • [TBD - Supplier Register]
  • [TBD - Contract Register]

10. Document Control

Version Date Author Changes Approved By
1.0 [TBD] [TBD] Initial policy creation [TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CEO

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff are required to read, understand, and comply with this policy.

Swedwise AB | Make Time For The Good

Related Documents