A bundle is a pre-defined set of documents. By purchasing the document bundle as a whole, you achieve significant savings from purchasing the documents individually. There is sometimes duplicate content among the bundled documents. See full details below.

Supplier Management Bundle – Policy + Process + Excel Toolkit

[ISO/IEC 20000:2018, ITIL 4] · Immediate download (2× DOCX + 1× XLSX)

What it is

An audit-ready Supplier Management (SUP) kit that gives you the top-level policy, a fully structured process, and a practical Excel toolkit—so you can govern suppliers end-to-end in line with ISO/IEC 20000-1:2018 and ITIL 4. Expect hard quality gates (G1.0–G6.2), one authoritative Supplier & Contract Register, a strict "change execution rule" (no onboard/amend/offboard without an approved RFC), and explicit evidence mapping for auditors.


What's inside

1) Supplier Management Policy (DOCX)
Board-level rules that set purpose, scope, roles, supplier tiering & governance cadence, mandatory gates, privacy/security by design (DPIA, DPA/SCCs, sub-processor notifications), measurable objectives/KPIs, interfaces, and records & retention—written to evidence conformity with ISO/IEC 20000 clauses 4–7, 8.1, 8.3, 9, 10. Includes delegated authorities, minimum clause checklist, and review cadence by tier.

2) Supplier Management Process (DOCX)
A complete, clause-mapped procedure with workflow, RACI, triggers/inputs/outputs, CSFs & KPIs, risks & controls, Internal Audit & Management Review, and a rigorous "Evidence Mapping for Auditors." Comes with Appendix A (data model & governance views) and a comprehensive template library SUP-T01…T41 (e.g., evaluation criteria, DD, MSA/SOW, KPI/OLA pack, scorecards, audit/CAR, decision memo, exit pack).

3) Supplier Management Excel Toolkit (XLSX)
A ready-to-use workbook aligned to the process templates—built around the Contract Register (SUP-T15), Governance Plan (T16), Onboarding (T18), Scorecards (T21), Consumption (T22), Audit (T23), CAR (T24), RCA/CAPA (T25), Review Pack (T27), Decision Memo ≥T-90 (T29), Exit & Comms (T31–T33), Records & Retention (T34), CSI & Effectiveness (T35, T39), Updated Docs Log (T40), and Training/Comms (T41)—so you can operationalize on day one.

Key features

Standards alignment, made explicit – Clause cross-reference and evidence pointers ensure traceability from requirement → control → record.

Eight-phase lifecycle with gates (G1.0–G6.2) – Govern: Plan → Source/Evaluate → Contract → Onboard & Integrate → Operate/Monitor/Report → Review/Improve/Renew/Amend/Terminate → Offboard → CSI—each with pass criteria and block authorities (e.g., G3.2 onboarding complete; G3.2.1 bidirectional process tests & Catalogue/CMDB updated via change; G5.0 exit evidence complete).

Single source of truth + change control – One Supplier & Contract Register; no shadow lists. No onboarding/amend/offboarding without an approved RFC that references gate evidence; Catalogue/CMDB must be updated before RFS.

Privacy & Security by design – DPIA pre-award/go-live where applicable, DPA/SCCs, sub-processor change-notification and audit rights, and quarterly/annual attestations embedded in governance.

Independent assurance – Risk-based Internal Audit with sampling by tier; CARs opened ≤ 5 business days and verified ≤ 30 days, plus Management Review with minuted actions/targets.

KPI/CSF pack – Targets such as ≥95% on-time audits, ≥95% scorecard timeliness, ≥95% renewal decisions recorded ≥T-90 (100% Tier-1), BC/DR test pass rates, each with owners, formulas, frequency, and reaction plans.


Benefits

Select the right partners—fast and defensibly. Transparent criteria, conflict-of-interest controls, due-diligence, and PoC rules keep sourcing objective and auditable.

Integrate without surprises. A SIAM/Integration Lead, workflow federation (incident/change/problem/capacity), and pre-RFS bidirectional tests prevent go-live shocks.

Stay always audit-ready. Records & Retention, evidence mapping, and independent audits (with CAR effectiveness checks) make assurance predictable.


Never miss a renewal. Automated T-180/120/90 alerts and the ≥T-90 decision rule keep contracts under control and documented—no last-minute fire drills.

Who it's for

Supplier/Procurement leaders, Service & Contract Owners, CIO/IT leadership, Security/Privacy/DPO, Architecture & SIAM/Integration leads, Finance partners, Internal Audit, Risk & Compliance—any organization building an ISO/IEC 20000-aligned supplier capability with ITIL 4 practices.

Get an ITIL-aligned, ISO/IEC 20000:2018 Supplier Management bundle—editable, enforceable, and audit-ready—so you can govern selections, integrations, performance, renewals, and exits with confidence from day one.