Has your organization established security requirements for suppliers, products, and services based on their criticality level and potential impact?
Explanation
Risk-proportionate requirements are what's being examined, namely whether you set security expectations for suppliers, products, and services according to their criticality and potential impact. For example, a cloud provider hosting sensitive data would have more stringent security requirements than an office supply vendor. Similarly, critical software components would require more thorough security assessments than non-critical tools.
Evidence could include a supplier security policy document, a tiered classification of suppliers with corresponding security requirements, security questionnaires tailored by criticality level, or contractual language templates that incorporate security requirements based on risk assessment outcomes.
Implementation Example
Establish security requirements for suppliers, products, and services commensurate with their criticality level and potential impact if compromised
ID: GV.SC-05.084
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

