Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
Explanation
Establishing clear ownership for supply chain risk management ensures accountability and prevents critical security tasks from falling through organizational gaps. These designated roles should have defined responsibilities for identifying, assessing, and mitigating risks from third-party vendors, suppliers, and service providers throughout the supply chain lifecycle.
Evidence could include an organizational chart highlighting these positions, formal job descriptions that explicitly mention supply chain risk management responsibilities, or a RACI matrix (Responsible, Accountable, Consulted, Informed) for supply chain security activities.
Implementation Example
Identify one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities
ID: GV.SC-02.070
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
- Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

