Digital Field Worker. Photo: Ole Jørgen Bratland.
Supplier
Information
We value and emphasize our commitment to working with high-performing suppliers who adhere to our health, safety, ethics, and corporate responsibility standards. We believe strong partnerships are key to maintaining our competitive edge.
-
Supply chain in Equinor On our homepage, discover how partnering with us as a supplier can enhance your business and our operations. We prioritize relationships with top-performing suppliers who share our commitment to health, safety, and ethical standards. By registering with us, you contribute to socio-economic growth and gain opportunities for continuous improvement in security, technology, and innovation. Expect transparency, fairness, and predictability in all our dealings as we strive for a sustainable supply chain.
. -
Code of Conduct Equinor’s No Gift, Hospitality and Expense Policies
Dear Valued Supplier,
We would like to take this time to thank you for your collaboration and valuable contributions. This excellent and important cooperation is crucial for us and the industry, and will continue to be an essential factor in realizing our ambition of achieving net zero in 2050.
GIFTS, HOSPITALITY AND EXPENSES
As the holiday season is fast approaching, we would like to reiterate the importance of understanding and adhering to Equinor’s Policy on gifts, hospitality and expenses outlined in Equinor’s Code of Conduct.
As a supplier to Equinor, no offer of gifts, directly or indirectly, to Equinor’s employees, company representatives and/or any procurement responsible should be made. Hospitality such as social events, meals or entertainment should be avoided, unless a strong and clear business reason exists, and the costs are reasonable. Travel, accommodation, and other expenses for the individual representing Equinor will always be paid by Equinor.
We look forward to collaborating with you also in the future.
To get there. Together.
With best regards,
Mette Halvorsen Ottøy
PDP Procurement and supplier relations
SVP Supply Chain – Chief Procurement Officer
-
Cyber security baseline Cyber Security Baseline Expectations to Suppliers
Equinor’s Cyber Security Baseline Expectations to Suppliers (termed Expectations in the rest of this document) is a framework designed to ensure the integrity, confidentiality, and availability of information shared with suppliers. This document serves as a foundation for fostering a secure environment throughout our supply chain. By meeting these expectations, suppliers contribute to the overall resilience of our joint operations, safeguard our joint interests, and reinforce the trust and confidence of all stakeholders.
The Expectations typically constitute part of the agreement between a supplier and Equinor for supply of materials or services. Additional cyber security requirements may also apply subject to cyber security risk assessments performed by Equinor.
1.0 GENERAL
It is Equinor’s intention that, in the implementation and administration of the agreement, the supplier shall use their own internal cyber security frameworks (including policies, systems, routines and procedures) where these meet or exceed Equinor’s Expectations.
The supplier shall adapt their frameworks to comply with the Expectations where these are not met.
When work is carried out at Equinor’s Sites, suppliers shall follow appropriate Equinor guidelines.
1.1 Definitions
Equinor Information means any information that Equinor shares with the supplier or an appointee in connection with the performance of the agreement, including but not limited to personal data and Equinor data.
HSE means Health, Safety, Security, Social Responsibility and Environment.
Site means the place where the work is being performed.
Sub suppliers and their suppliers means all parties other than the supplier performing part of the work and includes all levels in the supply chain.
1.2 Cyber Security Management System
The supplier shall have implemented, or be able to demonstrate compliance to, a cyber security management system based on published, internationally accepted standards. The cyber security management system shall include all activities conducted by the supplier related to the delivery of the contract.
The supplier’s cyber security management system shall, at a minimum, cover:
• The identification, assessment, treatment, and reporting of cyber security risks
• Application of controls to protect both the systems and information used by the supplier and Equinor
• Cyber security incident response, recovery, and reporting
• Cyber security of people, processes, and technology
• Deliberate or accidental actions or omissions by supplier personnel, sub-suppliers or third parties that may harm Equinor’s personnel, activities, or reputation
Suppliers may use compliance with, or certification against, internationally accepted cyber security standards and/or cyber security management systems to indicate complete or partial fulfilment of the above expectations.
1.3 Continuous improvement
Equinor may, on a regular basis, review the cyber security activities of the supplier to ensure the supplier is meeting the Expectations and any other identified additional requirements.
Equinor reserves the right to add, change, enhance or otherwise alter the Expectations and any other identified additional requirements based on incidents, changes to cyber security threats or risks, or changes to the state of the art.
The supplier shall regularly review the cyber security threats and risks to its own operations and operations conducted as a supplier to Equinor. The supplier shall add, change, enhance or otherwise alter its cyber security activities and controls if the review indicates that these activities or controls do not address the risks to its own operations and operations conducted as a supplier to Equinor. The supplier shall establish and maintain a system for handling Equinor Information which corresponds to Equinor’s sensitivity classification of such information. Upon Equinor’s request, the supplier shall establish additional measures to protect Equinor Information if Equinor deems this necessary.
1.4 Information Management
Platforms used for exchanging information between Equinor, and the supplier shall have controls in place to prevent exposure of any information from Equinor or the supplier.
The supplier shall return all information in any format to Equinor upon request or at the end of the contract. If any Equinor information cannot be returned, then the supplier should destroy it in a secure manner and present Equinor with certificates of secure destruction. If the supplier is required by legal or regulatory obligations to retain information for a defined period of time, the supplier shall undertake to protect such information for the stated time and then securely destroy such information, presenting Equinor with certificates of secure destruction.
1.5 Personnel Management
The supplier shall ensure that any access granted to its personnel to Equinor Information is managed in accordance with Equinor’s instructions.
The supplier shall ensure that the identity of personnel involved in the performance of the agreement has been properly verified (by manual or automated control), and that such personnel’s qualifications have been confirmed according to specific national and regional laws.
The supplier shall have a dedicated point of contact for cyber security communications and shall require that any Sub suppliers provide the same.
The supplier is responsible for planning and implementing all cyber security training and courses required by the agreement.
1.6 Cyber Security Compliance
The supplier shall upon request present Equinor with evidence of compliance with, or certification against, published nationally or internationally accepted cyber security standards. Suppliers should be able to provide evidence for compliance with one or more of the following standards and frameworks:
• ISO/IEC 27001
• Cyber Essentials
• NIST CSF
• PCI DSS
• ISAE 3402
• COBIT
• ISF Standard of Good Practice
Where a publication date is not provided, the latest published version should be used. Certificates should be valid and have their end-date clearly stated.
2.0 DATA BREACH & INCIDENT NOTIFICATION
In case of a data breach or cyber security incident affecting the ability to deliver according to the contract, the supplier shall notify Equinor without undue delay and no later than 72 hours after identified breach.
Where required by legal or regulatory obligation, the supplier shall inform Equinor and any legal or regulatory body within their time frames stated.
The supplier shall notify Equinor by using agreed channels or calling Equinor’s service desk on number +47 51999222.
Information to Equinor’s service desk should include name of the Equinor representative of this Agreement and include sufficient information to enable Equinor to meet its obligations to report to inform relevant stakeholders and to handle the data breach/cyber security incident.
The supplier shall co-operate with Equinor and take all reasonable steps as instructed by Equinor to assist in investigation, mitigation, and remediation of such breach.
2.1 Emergency Situations and Serious Incidents
The supplier shall have established an emergency organisation according to the agreement. The supplier shall not notify or give any information to the media or other units or people without Equinor's consent.
3.0 AUDIT AND VERIFICATION ACTIVITIES
Equinor shall have the right to perform HSE audits and verifications towards the supplier, Sub suppliers and their suppliers throughout the duration of the work. Audits and verifications carried out by Equinor shall not relieve the supplier of its responsibility for the work. An action-plan based on the report shall be submitted to Equinor as requested. The supplier shall close findings in the report with corrective actions. Acceptable closing of findings shall be documented.
-
Data Analytics