Does your organization conduct risk-based due diligence assessments on prospective suppliers prior to establishing business relationships?
Explanation
Supplier due diligence is the subject, namely whether you run risk-based assessments of prospective suppliers before entering into business relationships. Due diligence should include assessments of suppliers' security practices, financial stability, compliance history, and operational capabilities, with the depth of assessment proportional to the criticality of the supplier relationship and access to sensitive data or systems.
Evidence of fulfillment could include a documented supplier due diligence policy, completed supplier risk assessment templates, security questionnaires sent to vendors, third-party risk management procedures, or reports showing supplier evaluation results with risk ratings.
Implementation Example
Perform thorough due diligence on prospective suppliers that is consistent with procurement planning and commensurate with the level of risk, criticality, and complexity of each supplier relationship
ID: GV.SC-06.094
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

