Has your organization established formal criteria for determining supplier criticality based on data sensitivity, system access levels, and business impact?
Explanation
Ranking suppliers by risk is the focus: assessors want formal criteria that set supplier criticality from data sensitivity, system access levels, and business impact.
Effective supplier criticality criteria should consider what sensitive data suppliers can access, their level of access to your systems, and how essential their services are to your core operations.
Without such criteria, organizations may apply inconsistent security controls across their supplier ecosystem, potentially leaving critical vulnerabilities unaddressed.
Evidence of compliance could include a documented supplier classification framework, risk assessment matrix, or tiered supplier management policy that clearly defines criticality levels and corresponding security requirements for each tier.
Implementation Example
Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization's systems, and the importance of the products or services to the organization's mission
ID: GV.SC-04.082
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Suppliers are known and prioritized by criticality
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

