Service Provider Due Diligence Assessment Procedure¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
Document Type: Procedure | Owner: CISO | Classification: Confidential | Review Cycle: Annual
| Field | Detail |
|---|---|
| Document # | SP-SPDAP-033 |
| Version | V1.2 |
| Issue Date | 08/09/2025 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Document Owner | Head of Sales and Merchants Digital Payments, Head of Human Resource and Admin |
| Authorised By | Yassir Pasha |
Document Creation¶
| Field | Detail |
|---|---|
| Document # | SP-SPDAP-033 |
| Document Title | Service Provider Due Diligence Assessment Procedure |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 08/09/2025 |
| Document Owner | Head of Sales and Merchants Digital Payments, Head of Human Resource and Admin |
| Author(s) | Simpaisa |
| Purpose | To define a structured process for assessing and managing information security, compliance, and risk posture of service providers before and during engagement. |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs & Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 28/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Frequency definition for monitoring | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Escalation contacts | Salim Karim |
| V1.2 | 08/09/2025 | Simpaisa | Annual Review | Yassir Pasha |
1 Introduction¶
The selection of appropriate, secure and effective service providers is key to Simpaisa's business strategy. Service providers are used not only to help with the running of an effective company but in many cases to deliver services directly to the customer, such as in the case of web hosting. Other service providers play a major part in whether Simpaisa is successful in reaching its objectives, for example in attracting sufficient visitors to its website.
But service providers must not only deliver good products and services but also do so in a secure way that doesn't put Simpaisa and its customers' data at risk. The time to evaluate whether a supplier can meet these requirements is before a contract is agreed and a service is put in place. This procedure is intended to ensure that sufficient actions are taken, and research completed to reach a reasonable judgement about whether a potential supplier is desirable.
The following related documents are relevant to this procedure:
- Information Security Policy for Service Provider Relationships
2 Service Provider Due Diligence Assessment Procedure¶
2.1 Prerequisites¶
Before starting the procedure, the following prerequisites must be in place:
-
Requirements for a product or service have been defined
-
A budget for the product or service is established
2.2 Timing and Scheduling¶
This procedure can be initiated at any time, but must be completed before the decision to purchase, and any commitment, is made.
2.3 Procedure¶
A service provider due diligence assessment should be recorded using the Service Provider Due Diligence Assessment form and retained as evidence of the assessment. The following steps are required:
-
Use a fresh copy of the Service Provider Due Diligence Assessment (initial merchant) form and record the details of the assessment, including date/time, assessor name, company under assessment, product or service name and requirements and classification of data that may be shared with the supplier.
-
Establish to what extent the offering meets the requirements for the product or service. If sufficient requirements are not met, the supplier should not be used, and this procedure terminates.
-
Research the details of the company providing the product or service, including registered name, country of registration, approximate size and when they were formed.
-
Document the commercial details of the offering under consideration, including price and pricing structure, terms of sale and contract terms including length, applicable law, renewal, and termination.
-
Perform an Internet search for the company and the product/service to see if any relevant information is available about their performance and history.
-
Find out what information is available about the information security controls used by the service supplier, including information security policy, certifications (e.g., ISO/IEC 27001, CyberEssentials, and PCI DSS), encryption etc.
-
When all relevant information has been obtained and recorded, reach a decision about whether the service supplier should be contracted with for the specific requirements under consideration. Record this decision on the form.
2.4 Support and Escalation¶
If an error occurs which cannot be corrected using this procedure, support should be obtained using the following information:
| Support Person | Role | Hours Available | |
|---|---|---|---|
| Danish Hamid | CISO | [email protected] | 11:00AM – 6:00PM |
| Rizwan Zafar | Chief Product Officer | [email protected] | 11:00AM – 6:00PM |
| Moiz Bhirya | Chief Strategy Officer | [email protected] | 11:00AM – 6:00PM |
| Ahsan Hussain | Head of Operations | [email protected] | 11:00AM – 6:00PM |
| Ahsan Iqbal | Chief Technology Officer | [email protected] | 11:00AM – 6:00PM |
2.5 Auditing and Logging¶
Due diligence assessments and their outcomes are logged on the Service Provider Due Diligence Assessment form and stored in the management system folder structure.
2.6 Monitoring¶
Progress of assessments should be monitored at least monthly while ongoing, although many will be completed within a shorter timeframe.
Annual supplier evaluation, including information security policy, certifications (e.g., ISO/IEC 27001, Cyber-Essentials, and PCI DSS), to check whether the vendor still holds a certification shared earlier or not.