Nessco – Supplier Requirements

Nessco is certified according to the quality standard ISO 9001, the environmental standard ISO 14001 and occupational health and safety standard ISO 45001, and soon the Information Security standard ISO 27001. We place high demands on ourselves and work continuously to improve our internal processes, our information security, our work within health and safety, and our adverse effect on the external environment. We require that our suppliers have the same focus on these issues. We expect our suppliers to have a positive and proactive attitude within these areas and that they seek sustainable solutions in close cooperation with Nessco.

Suppliers of goods and services purchased must not act contrary to applicable laws and regulations1, UN conventions, ILO conventions2 and national labor legislation at the production side. The Universal Declaration of Human Rights must be respected.

When using subcontractors that directly contribute to completion of contracts, the supplier is obligated to pass on these requirements to the subcontractor.

HSE
HSE work is highly prioritized and targeted in Nessco. Our suppliers must emphasize maintaining secure and safe working conditions, including a healthy working environment for all employees. We expect our suppliers to fulfill any requirements in the HSE legislation. 

Suppliers certified according to ISO 45001 or equivalent will be preferred in competition with others. All our suppliers must work systematically and targeted with HSE issues. 

Environment
Nessco wants to contribute to the best possible preservation of the environment. Our products are to be among the best of their kind and we, in our development work, will focus on energy-saving solutions and a minimum of pollution and waste during our products’ life cycle. 

Suppliers certified according to ISO 14001 or equivalent will be preferred in competition with others. All our suppliers must demonstrate systematic and targeted work within the environmental area.

Quality
All our suppliers must have an adequate quality management system tailored to their services. They must document that defined quality requirements are an integral part of their business activities. 

Nessco has been ISO 9001 certified since 1993, and we prefer suppliers with similar certifications.  

Information Security and IT Requirements
All suppliers to Nessco shall apply appropriate technical and organizational measures to protect information related to Nessco. This applies regardless of whether the supplier directly accesses Nessco systems.

As a minimum, suppliers shall:

  • Protect the confidentiality, integrity, and availability of information received from Nessco
  • Ensure that access to information is limited to authorized personnel only
  • Maintain basic protection against malware, unauthorized access, and data loss
  • Handle information exchanges with Nessco in a secure manner
  • Report any information security incident or suspected breach that may affect Nessco without undue delay

The level of implemented measures shall be proportionate to the nature of the supplied goods or services and the associated risk.

Suppliers certified according to ISO 27001 or equivalent will be preferred in competition with others. All our suppliers must demonstrate systematic and targeted work within information security. 

See below for more details of Nessco’s expectations for Information Security and IT Security controls at our suppliers.

Code of Conduct
We expect our suppliers, as well as our employees, to conduct business and work in an ethical and lawful manner and to act with integrity and in compliance with all applicable laws, including anti-trust laws. 

We expect our suppliers to conduct their business on the same terms and to accept our «Code of Conduct”. 

Read our Code of Conduct 

Compliance
In the case of significant breaches of our supplier requirements, the consequence may be termination of the contract/cooperation. However, initially we will attempt to collaborate, to give suppliers the opportunity to correct and prevent any breaches through goal setting and action plans.

We require our suppliers to focus on and systematically work with issues regarding health, environment, safety and information security in their own organizations and in their cooperation with others. Our partners must be prepared to verify and document this work on request

1) Laws and regulations mean legislation in the country of origin of the delivery. 
2) International Labor Organization (ILO) is a specialized agency of the United Nations.
ILO is a coalition of representatives from national governments, unions and employers' organizations. ILO has drawn up many conventions where the main and most important of which are referred to as the ILO core conventions.

Oslo, January 21st, 2026, rev. 01

Nessco’s expectations for Information Security and IT Security at our suppliers
All suppliers to Nessco AS shall apply appropriate technical and organizational measures to protect information related to Nessco. This applies regardless of whether the supplier directly accesses Nessco systems. The level of implemented measures shall be proportionate to the nature of the supplied goods or services and the associated risk. 

Suppliers with access to larger volumes or more sensitive data are subject to increased security requirements as part of our supplier evaluation.

Nessco expects security controls as follows: 

Information Security Governance

  • Suppliers shall maintain an information security management framework appropriate to the services provided.
  • Clear assignment of security roles and responsibilities.
    ISO 27001: A.5 (Information security policies), A.6 (Organization of information security)

Risk Management

  • Suppliers must identify, assess, and manage information security risks related to the services.
  • Security controls shall be proportionate to risk.
    ISO 27001: A.5.4, A.8

Access Control

  • Access to customer data restricted to authorized personnel only (least privilege).
  • Strong authentication, role-based access, and timely removal of access.
    ISO 27001: A.9

Personnel Security

  • Background checks where legally permitted.
  • Mandatory security awareness and confidentiality obligations for staff.
    ISO 27001: A.7

Protection of Information Assets

  • Classification of information and appropriate handling rules.
  • Encryption of sensitive data in transit and at rest where relevant.
    ISO 27001: A.8, A.10

Incident Management & Notification

  • Defined process for detecting, managing, and responding to security incidents.
  • Obligation to notify the customer of incidents without undue delay.
    ISO 27001: A.16

Business Continuity & Availability

  • Backup, recovery, and continuity measures appropriate to service criticality.
  • Regular testing of continuity plans.
    ISO 27001: A.17

Sub-supplier Control

  • Suppliers must impose equivalent security requirements on sub-suppliers.
  • The Supplier shall maintain transparency regarding subcontractors with access to Customer information.
    ISO 27001: A.15

Audit & Assurance

  • Right to audit or receive security assurance (e.g. ISO 27001 certification, audit reports).
  • Cooperation with security reviews and assessments.
    ISO 27001: A.18, A.15.2

Compliance & Legal Requirements

  • Compliance with applicable laws (e.g. data protection).
  • Secure data return or deletion at contract termination.
    ISO 27001: A.18, A.8.3