Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
Explanation
A cybersecurity supply chain risk management strategy defines how your organization identifies, assesses, and mitigates risks from third-party vendors, suppliers, and partners who have access to your systems or data.
This strategy should outline specific objectives, risk tolerance levels, and approaches for managing supply chain security risks throughout the vendor lifecycle.
Without clear objectives, organizations often take an inconsistent approach to supply chain security, potentially leaving critical vulnerabilities unaddressed.
Evidence of fulfillment could include a formal document such as a 'Supply Chain Security Strategy' or 'Third-Party Risk Management Framework' that explicitly states the objectives of the program, defines roles and responsibilities, and outlines the approach for managing supply chain cybersecurity risks.
Implementation Example
Establish a strategy that expresses the objectives of the cybersecurity supply chain risk management program
ID: GV.SC-01.066
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
Related questions
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
- Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

