Are cybersecurity supply chain risk management responsibilities and performance requirements explicitly included in relevant job descriptions and personnel documentation?
Explanation
Including specific cybersecurity supply chain risk management responsibilities in job descriptions creates clear accountability and ensures staff understand their security obligations when dealing with vendors and third parties. This practice helps organizations operationalize supply chain security by making it part of formal role expectations rather than an implicit or ad-hoc responsibility.
Evidence could include: sample job descriptions for procurement, vendor management, or IT security roles that explicitly mention supply chain security responsibilities; performance evaluation criteria that include supply chain risk management metrics; or HR documentation templates that incorporate cybersecurity supply chain responsibilities for relevant positions.
Implementation Example
Include cybersecurity supply chain risk management responsibilities and performance requirements in personnel descriptions to ensure clarity and improve accountability
ID: GV.SC-02.073
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

