Does your organization maintain a comprehensive supplier inventory that includes criticality ratings for each supplier?
Explanation
A supplier inventory helps organizations track all third parties that provide goods or services, while criticality ratings identify which suppliers pose the greatest risk or are most essential to operations.
This enables proper allocation of resources for supplier risk management, focusing more attention on high-risk or critical suppliers. For example, a cloud hosting provider might be rated as highly critical, while an office supply vendor might receive a lower criticality rating.
Evidence could include a spreadsheet or database containing a list of all suppliers with columns for criticality ratings (e.g., high/medium/low or numerical scores), assessment dates, and criteria used for determining criticality such as data access levels, operational impact, and regulatory requirements.
Implementation Example
Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria
ID: GV.SC-04.083
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Suppliers are known and prioritized by criticality
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

