Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?
Explanation
Supply chain accountability is under review, namely whether you have documented the roles and responsibilities for managing cybersecurity risk across vendors in a formal policy. Documenting these roles ensures accountability, prevents gaps in oversight, and establishes clear procedures for addressing supply chain security incidents or vulnerabilities.
Evidence could include a formal supply chain risk management policy document that explicitly defines roles and responsibilities for activities such as vendor security assessments, continuous monitoring, incident response related to supply chain, and remediation processes. The policy should identify specific positions or teams responsible for each aspect of supply chain security management.
Implementation Example
Document cybersecurity supply chain risk management roles and responsibilities in policy
ID: GV.SC-02.071
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

