Cyber Security Baseline Expectations to Suppliers
Equinor’s Cyber Security Baseline Expectations to Suppliers (termed Expectations in the rest of this document) is a framework designed to ensure the integrity, confidentiality, and availability of information shared with suppliers. This document serves as a foundation for fostering a secure environment throughout our supply chain. By meeting these expectations, suppliers contribute to the overall resilience of our joint operations, safeguard our joint interests, and reinforce the trust and confidence of all stakeholders.
The Expectations typically constitute part of the agreement between a supplier and Equinor for supply of materials or services. Additional cyber security requirements may also apply subject to cyber security risk assessments performed by Equinor.
1. GENERAL
It is Equinor’s intention that, in the implementation and administration of the agreement, the supplier shall use their own internal cyber security frameworks (including policies, systems, routines and procedures) where these meet or exceed Equinor’s Expectations.
The supplier shall adapt their frameworks to comply with the Expectations where these are not met.
When work is carried out at Equinor’s Sites, suppliers shall follow appropriate Equinor guidelines.
Definitions
Equinor Information means any information that Equinor shares with the supplier or an appointee in connection with the performance of the agreement, including but not limited to personal data and Equinor data.
HSE means Health, Safety, Security, Social Responsibility and Environment.
Site means the place where the work is being performed.
Sub suppliers and their suppliers means all parties other than the supplier performing part of the work and includes all levels in the supply chain.
Cyber Security Management System
The supplier shall have implemented, or be able to demonstrate compliance to, a cyber security management system based on published, internationally accepted standards. The cyber security management system shall include all activities conducted by the supplier related to the delivery of the contract.
The supplier’s cyber security management system shall, at a minimum, cover:
• The identification, assessment, treatment, and reporting of cyber security risks
• Application of controls to protect both the systems and information used by the supplier and Equinor
• Cyber security incident response, recovery, and reporting
• Cyber security of people, processes, and technology
• Deliberate or accidental actions or omissions by supplier personnel, sub-suppliers or third parties that may harm Equinor’s personnel, activities, or reputation
Suppliers may use compliance with, or certification against, internationally accepted cyber security standards and/or cyber security management systems to indicate complete or partial fulfilment of the above expectations.
Continuous improvement
Equinor may, on a regular basis, review the cyber security activities of the supplier to ensure the supplier is meeting the Expectations and any other identified additional requirements.
Equinor reserves the right to add, change, enhance or otherwise alter the Expectations and any other identified additional requirements based on incidents, changes to cyber security threats or risks, or changes to the state of the art.
The supplier shall regularly review the cyber security threats and risks to its own operations and operations conducted as a supplier to Equinor. The supplier shall add, change, enhance or otherwise alter its cyber security activities and controls if the review indicates that these activities or controls do not address the risks to its own operations and operations conducted as a supplier to Equinor. The supplier shall establish and maintain a system for handling Equinor Information which corresponds to Equinor’s sensitivity classification of such information. Upon Equinor’s request, the supplier shall establish additional measures to protect Equinor Information if Equinor deems this necessary.
Information Management
Platforms used for exchanging information between Equinor, and the supplier shall have controls in place to prevent exposure of any information from Equinor or the supplier.
The supplier shall return all information in any format to Equinor upon request or at the end of the contract. If any Equinor information cannot be returned, then the supplier should destroy it in a secure manner and present Equinor with certificates of secure destruction. If the supplier is required by legal or regulatory obligations to retain information for a defined period of time, the supplier shall undertake to protect such information for the stated time and then securely destroy such information, presenting Equinor with certificates of secure destruction.
Personnel Management
The supplier shall ensure that any access granted to its personnel to Equinor Information is managed in accordance with Equinor’s instructions.
The supplier shall ensure that the identity of personnel involved in the performance of the agreement has been properly verified (by manual or automated control), and that such personnel’s qualifications have been confirmed according to specific national and regional laws.
The supplier shall have a dedicated point of contact for cyber security communications and shall require that any Sub suppliers provide the same.
The supplier is responsible for planning and implementing all cyber security training and courses required by the agreement.
Cyber Security Compliance
The supplier shall upon request present Equinor with evidence of compliance with, or certification against, published nationally or internationally accepted cyber security standards. Suppliers should be able to provide evidence for compliance with one or more of the following standards and frameworks:
• ISO/IEC 27001
• Cyber Essentials
• NIST CSF
• PCI DSS
• ISAE 3402
• COBIT
• ISF Standard of Good Practice
Where a publication date is not provided, the latest published version should be used. Certificates should be valid and have their end-date clearly stated.
2. DATA BREACH & INCIDENT NOTIFICATION
In case of a data breach or cyber security incident affecting the ability to deliver according to the contract, the supplier shall notify Equinor without undue delay and no later than 72 hours after identified breach.
Where required by legal or regulatory obligation, the supplier shall inform Equinor and any legal or regulatory body within their time frames stated.
The supplier shall notify Equinor by using agreed channels or calling Equinor’s service desk on number +47 51999222.
Information to Equinor’s service desk should include name of the Equinor representative of this Agreement and include sufficient information to enable Equinor to meet its obligations to report to inform relevant stakeholders and to handle the data breach/cyber security incident.
The supplier shall co-operate with Equinor and take all reasonable steps as instructed by Equinor to assist in investigation, mitigation, and remediation of such breach.
Emergency Situations and Serious Incidents
The supplier shall have established an emergency organisation according to the agreement. The supplier shall not notify or give any information to the media or other units or people without Equinor's consent.
3. AUDIT AND VERIFICATION ACTIVITIES
Equinor shall have the right to perform HSE audits and verifications towards the supplier, Sub suppliers and their suppliers throughout the duration of the work.
Audits and verifications carried out by Equinor shall not relieve the supplier of its responsibility for the work.
An action-plan based on the report shall be submitted to Equinor as requested. The supplier shall close findings in the report with corrective actions. Acceptable closing of findings shall be documented.