GV.SC-05.085
Does your organization include comprehensive cybersecurity and supply chain requirements in standard contract language with third parties, along with verification methods for compliance?
Explanation
Third-party relationships often introduce significant security risks when vendors don't maintain the same security standards as your organization. Standard contractual language should clearly define cybersecurity requirements, data handling expectations, incident response obligations, and supply chain security measures that align with your organization's security policies. These requirements should be accompanied by specific verification methods such as audit rights, compliance certifications, or periodic assessments. Evidence could include template contract language with security provisions, third-party security assessment questionnaires, vendor management policies that outline security requirements, or a vendor security compliance verification schedule with documented verification methods.
Implementation Example
Include all cybersecurity and supply chain requirements that third parties must follow and how compliance with the requirements may be verified in default contractual language
ID: GV.SC-05.085
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
