Does your organization include security requirements in agreements with vendors and partners based on the criticality of the data or systems involved?
Explanation
Including security requirements in agreements helps ensure that third parties handling your data or accessing your systems maintain appropriate security controls. The level of security requirements should be proportional to the criticality of the data/systems and the potential impact if compromised. For example, a vendor processing sensitive customer data would have stricter requirements than one providing office supplies.
Evidence could include a vendor security assessment framework, contract templates with security clauses that vary by risk level, or a documented process for determining which security requirements to include in different types of agreements based on risk classification.
Implementation Example
Manage risk by including security requirements in agreements based on their criticality and potential impact if compromised
ID: GV.SC-05.087
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

