Has your organization clearly communicated the roles and responsibilities for managing cybersecurity supply chain risks related to third parties?
Explanation
Clarity of ownership over supply-chain cyber risk is what reviewers want, namely whether roles and responsibilities for managing third-party risks have been defined and communicated. Clear role definition ensures accountability for tasks such as vendor risk assessments, contract security requirements, ongoing monitoring, and incident response related to third parties.
Evidence could include an organizational chart showing supply chain security responsibilities, internal communications about these roles (such as emails or intranet posts), documented RACI matrices for third-party risk management, or formal policies that define these responsibilities across departments like Procurement, Legal, IT, and Security.
Implementation Example
Internally communicate cybersecurity supply chain risk management roles and responsibilities for third parties
ID: GV.SC-02.076
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

