Has your organization established formal rules and protocols for information sharing and reporting with suppliers?
Explanation
Structured information sharing with suppliers is the subject here, namely whether you have documented rules governing how security incidents, vulnerabilities, and updates are reported between you and your suppliers. These protocols should define what information can be shared, with whom, through which channels, and under what circumstances.
Evidence could include a Supplier Information Sharing Policy document, communication protocols outlined in supplier contracts, documented incident reporting procedures for suppliers, or templates for security notifications that flow between your organization and suppliers.
Implementation Example
Establish rules and protocols for information sharing and reporting processes between the organization and its suppliers
ID: GV.SC-02.077
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

