Has your organization defined and documented roles and responsibilities for cybersecurity risk management in third-party relationships, and integrated these into relevant agreements?
Explanation
Third-party risk ownership is under review, specifically whether roles and responsibilities for managing supplier and partner cyber risk are defined, documented, and written into agreements. Defining these responsibilities helps prevent security gaps where each party assumes the other is handling a particular security control.
Evidence could include: documented third-party security policies, contract templates with security responsibility clauses, responsibility assignment matrices (RACI charts) for third-party security management, or redacted examples of agreements that include cybersecurity responsibility clauses.
Implementation Example
Develop roles and responsibilities for suppliers, customers, and business partners to address shared responsibilities for applicable cybersecurity risks, and integrate them into organizational policies and applicable third-party agreements
ID: GV.SC-02.075
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

