GV.SC-06.094

Does your organization conduct risk-based due diligence assessments on prospective suppliers prior to establishing business relationships?

Explanation

This question evaluates whether your organization has a systematic process for evaluating potential suppliers based on the risk they may introduce to your business. Due diligence should include assessments of suppliers' security practices, financial stability, compliance history, and operational capabilities, with the depth of assessment proportional to the criticality of the supplier relationship and access to sensitive data or systems. Evidence of fulfillment could include a documented supplier due diligence policy, completed supplier risk assessment templates, security questionnaires sent to vendors, third-party risk management procedures, or reports showing supplier evaluation results with risk ratings.

Implementation Example

Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship

ID: GV.SC-06.094

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub