GV.SC-06.095

Does your organization have a formal process to assess the cybersecurity capabilities and risk management practices of potential suppliers before engagement?

Explanation

This question evaluates whether your organization conducts due diligence on suppliers' security posture before establishing business relationships. A robust supplier assessment process should examine technical security controls, compliance certifications, incident response capabilities, and the supplier's own third-party risk management practices. Evidence could include a documented supplier security assessment procedure, completed supplier security questionnaires, third-party security assessment reports, or a supplier risk register that shows security evaluations were conducted prior to engagement.

Implementation Example

Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers

ID: GV.SC-06.095

Context

Function
GV: GOVERN
Category
GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron