Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
Explanation
A cybersecurity supply chain risk management program helps identify, assess, and mitigate risks from third-party vendors, suppliers, and service providers that may have access to your systems or data. This program should include formal policies defining roles and responsibilities, procedures for vendor assessment and monitoring, and a roadmap for continuous improvement with clear milestones.
Evidence could include: a formal supply chain risk management policy document, implementation roadmap with milestones, vendor assessment procedures, stakeholder communication plan, and documentation showing the program has been shared with relevant internal and external stakeholders.
Implementation Example
Develop the cybersecurity supply chain risk management program, including a plan (with milestones), policies, and procedures that guide implementation and improvement of the program, and share the policies and procedures with the organizational stakeholders
ID: GV.SC-01.067
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
- Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

