Security requirements for suppliers
Securing the supply chain
Commitment to secure supply chain practices
At Nokia, we believe in collaborating with suppliers, partners, and industry leaders to foster innovation and deliver products and services with trusted experts who excel in their fields, ensuring the highest standards of security. In an interconnected and complex business environment, maintaining strong information security practices across the supply chain is important to protect organizational assets and maintain customer trust. We are committed to establish robust and ethical security practices throughout our supply chain to safeguard our operations, customers, and data. Towards this purpose, we expect suppliers to demonstrate adherence to Nokia’s supplier security principles described in this section.
Supplier security principles and their application
Nokia has defined supplier security principles to guide the security practices of our suppliers. These principles are designed to be applied throughout the entire lifecycle of our supplier relationships – from onboarding, through the delivery of services or products, and even during the phase out process. Nokia ensures that security remains a top priority at every stage, reflecting the growing importance of cybersecurity in the supply chain.
Nokia regularly reviews supplier security principles to ensure they remain aligned with the latest security frameworks and industry best practices. By embedding these principles into our supplier relationships, we are creating a resilient and secure supply chain framework.
Supplier security principles are more than just a set of requirements to prove compliance; they represent an opportunity for Nokia and its suppliers to lead the way in building a secure and resilient supply chain. By adhering to these principles, we can collectively strengthen defenses, protect sensitive data, and mitigate supply chain risks.
Together, we can build a supply chain that is not only secure but also responsible and forward-looking.
Our supplier security principles
Compliance and audits
Suppliers shall enable Nokia to periodically conduct audits and assess supplier security practices, including during material changes in the relationship.
Adherence to security requirements
Suppliers shall comply with applicable security laws and Nokia’s security requirements by implementing necessary controls to maintain robust security.
Security incident management and reporting
Suppliers shall promptly report any security incidents affecting Nokia or Nokia’s customer data through defined communication channels.
People management
Suppliers shall conduct background checks for individuals with access to Nokia data or systems. Additionally, supplier shall provide ongoing cybersecurity training and awareness programs to their employees.
Management of supplier’s supply chain risks
Suppliers shall manage the cybersecurity risks of their own third parties involved in delivering services or products to Nokia.
Communication of changes
Suppliers shall notify Nokia of any control environment changes that could impact security of services or products delivered to Nokia or Nokia customers.
Contract ramp down clauses
Suppliers shall ensure that Nokia’s assets are returned upon contract termination and data in supplier’s custody is either returned in a readable format or securely destroyed as agreed with Nokia.
Summary of our supplier security principles
1.1 Supplier security audits
Suppliers shall demonstrate compliance with applicable security laws and Nokia’s supplier security principles by providing access to relevant evidence during audits. These audits may involve onsite inspections, remote reviews, or requests for documentary evidence. The list of evidence is detailed within Nokia’s supplier security principles. Furthermore, suppliers shall ensure that an independent or internal, or Nokia-led audits are conducted, aligning with industry-standard frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework v2.0, NIST SP 800-53, or Nokia’s Supplier Security Appendix. Suppliers shall appoint a point of contact for Nokia to address security related matters.
1.2 Continuous monitoring and reassessment
Suppliers shall actively support Nokia’s continuous monitoring and reassessment processes, which are designed to proactively assess cyber risks within the supply chain. Suppliers shall address any identified cyber risks that could impact Nokia or its customers in relation to the services or products they provide. Reassessment process is based on several factors and can be initiated independently of continuous monitoring.
Suppliers shall establish and maintain an Information security program to uphold minimum level of technical and organizational measures, formalized through documented policies, procedures, and process standards.
The key evidence for demonstrating information security program is categorized into three control areas:
- Organizational
- Technological
- People.
Suppliers shall maintain an Incident Response Plan (IRP) that is tailored to address the sensitivity of the data, as well as any applicable regulatory and customer contractual requirements. The plan must address different phases of incident management, including detection, response, and recovery etc.
Suppliers shall notify Nokia within 24 hours of detecting a security incident impacting Nokia or its customers' data, reporting it to cyber.incident@nokia.com. Suppliers shall collaborate with Nokia to take necessary actions, share incident timelines, severity and impact on the services or products, provide a root cause analysis, and submit remediation plans for major incidents. Additionally, suppliers shall cooperate with forensic investigations and ensure the preservation of incident evidence to meet legal and regulatory requirements.
Suppliers shall conduct background checks for individuals granted access to Nokia data and Network. Additionally, suppliers shall manage access to Nokia data or networks following the need-to-know principle and robust data access management. They must ensure proper provisioning and timely deprovisioning of access for personnel.
Suppliers shall have in place measures to ensure that supplier personnel does not access Nokia data or networks from prohibited geo-locations.
Suppliers shall conduct security awareness training for all employees, including subcontractors, at least annually. Suppliers shall maintain records of training completion and assess its effectiveness. Supplier employees onboarded as Nokia external users shall complete Nokia security awareness training as well.
Suppliers shall assess and continuously monitor their third-party suppliers, including any subcontractors, using the same security standards and ensure their compliance with Nokia's security principles.
Suppliers shall inform Nokia of any third parties involved in the scope of services provided to Nokia or its customers, along with any supply chain risks that could affect the relationship. Additionally, suppliers shall obtain prior written approval from Nokia before sharing Nokia data with any external party.
Suppliers shall notify Nokia of any material changes to their control environment that either impact their security posture or affect an auditor's opinion in the audit reports e.g., changes in infrastructure, ownership, or security controls, that could impact their security posture.
Additionally, suppliers shall provide the following:
- Documented communication of material changes, along with a clear confirmation of whether the changes impact the control environment used in delivering services to Nokia or Nokia customers.
- Engagement letter attested by an independent third-party confirming Supplier is going for re-audit
- Updates to security controls, such as revised policies, procedures, or audit reports
Suppliers shall return all Nokia data in a readable format and any assets upon contract termination. Additionally, if data is not returned, suppliers shall securely destroy all Nokia or Nokia’s customer-related data, as agreed with Nokia, using NIST SP 800-88 guidelines for media sanitization.
Additionally, suppliers shall provide the following (as applicable):
- Data destruction certificate
- Complete phase out process checklist
Audit evidence list
Organizational controls
- Independent security audit reports (e.g., SOC 2 Type 1/2, ISO 27001 with statement of applicability)
- Information security policy
- Risk management policy
- Vulnerability and patch management policy
- Information classification policy
- Business continuity and disaster recovery plans/ test reports
- Data privacy policy
- BYOD Policy (*if organization allows use of personal devices)
- Backup and restoration management policy
- Malware protection policy
- AI governance policy (*if supplier uses AI in scope of relationship or provide services which involves use of AI)
- Physical security policy
- Encryption policy
- Cloud security policy (*if supplier provides cloud services or uses cloud to host its infrastructure)
- Secure software development lifecycle (SDLC) policy (*if supplier uses software in scope of relationship or develops software for Nokia)
- Incident management policy and plan
- Sample incident ticket and Demonstrate use of the tool used for incident reporting
- Third-party risk management (TPRM) / Supply chain risk policy
- Sample third party assessment report/ Due diligence evidence
- Change management policy
Technological controls
- Vulnerability scan results and tool evidence
- Backup and restoration test results and logs
- Encryption implementation evidence (for data at rest, in transit, and in use)
- Incident reporting tool evidence
- Access provisioning and deprovisioning sample
- Network or endpoint security measures evidence (IDS, IPS, Firewall, SIEM, DLP, Anti-malware solution etc.)
- Patch management deployment tool and samples evidence
- Sample incident ticket
- Demonstrate use of the tool used for incident reporting
People controls
- HR security or background check process (describing how individual identity is verified to avoid impersonation, if organization
- Joiners and leavers process
- Security awareness program/training records including Nokia security trainings (if applicable)
- NDA sample signed between supplier and its employees