Has your organization established integrated control sets that address both cybersecurity risk management and cybersecurity supply chain risk management?
Explanation
Integrated control sets ensure that cybersecurity risk management practices are consistently applied across both internal operations and the supply chain.
This approach prevents security gaps that could arise when treating these domains separately and promotes efficiency by avoiding redundant controls.
Organizations with mature integrated control sets typically have unified governance frameworks, shared risk assessment methodologies, and consistent security requirements for both internal systems and external suppliers.
Evidence could include documentation of a unified control framework (such as a mapping document showing how controls address both internal and supply chain risks), governance documentation showing integrated risk management processes, or a security policy that explicitly addresses both domains under a common framework.
Implementation Example
Establish integrated control sets for cybersecurity risk management and cybersecurity supply chain risk management
ID: GV.SC-03.079
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

