Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?
Explanation
A responsibility matrix (such as RACI - Responsible, Accountable, Consulted, Informed) documents which teams or individuals are responsible for specific supply chain security activities, ensuring clear ownership and communication channels. This prevents critical security tasks from falling through the cracks and establishes accountability for supply chain risk management across the organization.
Evidence could include a formal RACI chart or responsibility matrix document that maps supply chain security activities to specific roles, teams or individuals, with clear designation of who is responsible, accountable, consulted, and informed for each activity.
Implementation Example
Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed
ID: GV.SC-02.072
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

