An RFP (Request for Proposal) is a formal document through which an organisation invites potential vendors to submit a proposal. In an information-security context, an RFP typically includes specific security requirements: certifications (e.g. ISO 27001), data-residency conditions, SLAs for availability, and incident-response terms. You should embed security criteria early in the procurement process so they feed into vendor evaluation. In an ISMS, assessing supplier risks falls under the controls in Annex A 5.19-5.22.