Does your organization have a documented process for escalating material cybersecurity risks identified in your supply chain to senior management and addressing them within your enterprise risk management framework?
Explanation
Escalation of supply chain risk is what's being checked: whether material risks identified in your supply chain are formally raised to senior management and handled within enterprise risk management.
Material cybersecurity risks in the supply chain (such as critical vulnerabilities in third-party components, security breaches at key vendors, or compliance issues with suppliers) must be communicated upward to decision-makers who can allocate resources and authorize mitigation strategies.
Evidence of fulfillment could include a documented escalation procedure specific to supply chain risks, meeting minutes from executive risk committee discussions of supply chain security issues, a supply chain risk register that includes escalation thresholds, or integration documentation showing how supply chain cybersecurity risks feed into the enterprise risk management system.
Implementation Example
Escalate material cybersecurity risks in supply chains to senior management, and address them at the enterprise risk management level
ID: GV.SC-03.081
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

