Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
Explanation
A cross-functional cybersecurity supply chain risk management team ensures that all relevant departments (IT, security, legal, procurement, etc.) collaborate to identify, assess, and mitigate supply chain security risks. This coordination prevents siloed approaches that might miss critical vulnerabilities and ensures consistent security practices across the supply chain ecosystem.
Evidence could include a charter document defining the cross-functional team structure, meeting minutes from regular coordination sessions, a RACI matrix showing responsibilities across departments, or formal policies documenting how different functions contribute to supply chain security risk management.
Implementation Example
Establish a cross-organizational mechanism that ensures alignment between functions that contribute to cybersecurity supply chain risk management, such as cybersecurity, IT, operations, legal, human resources, and engineering
ID: GV.SC-01.069
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
- Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

