GV.SC-04.082

Has your organization established formal criteria for determining supplier criticality based on data sensitivity, system access levels, and business impact?

Explanation

This question assesses whether your organization has a structured approach to categorizing suppliers based on risk factors. Effective supplier criticality criteria should consider what sensitive data suppliers can access, their level of access to your systems, and how essential their services are to your core operations. Without such criteria, organizations may apply inconsistent security controls across their supplier ecosystem, potentially leaving critical vulnerabilities unaddressed. Evidence of compliance could include a documented supplier classification framework, risk assessment matrix, or tiered supplier management policy that clearly defines criticality levels and corresponding security requirements for each tier.

Implementation Example

Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization's systems, and the importance of the products or services to the organization's mission

ID: GV.SC-04.082

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Suppliers are known and prioritized by criticality

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub