GV.SC-05.092

Does your organization require suppliers to provide evidence of their security practices through formal attestation, certification, or inspection processes?

Explanation

This question assesses whether your organization has formal mechanisms to verify that suppliers maintain adequate security controls. By requiring evidence such as SOC 2 reports, ISO 27001 certifications, completed security questionnaires, or allowing security inspections, you can validate that third parties handling your data meet your security standards. Evidence could include supplier contracts with security requirements clauses, a supplier security assessment program document, collected attestations or certifications from key suppliers, or a supplier management policy that outlines security verification requirements.

Implementation Example

Contractually require suppliers to provide evidence of performing acceptable security practices through, for example, self-attestation, conformance to known standards, certifications, or inspections

ID: GV.SC-05.092

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub