Does your organization have a formal process to assess the cybersecurity capabilities and risk management practices of potential suppliers before engagement?
Explanation
Supplier due diligence before engagement is what's being checked, specifically whether you assess a prospective vendor's cybersecurity capabilities and risk practices before signing on. A robust supplier assessment process should examine technical security controls, compliance certifications, incident response capabilities, and the supplier's own third-party risk management practices.
Evidence could include a documented supplier security assessment procedure, completed supplier security questionnaires, third-party security assessment reports, or a supplier risk register that shows security evaluations were conducted prior to engagement.
Implementation Example
Assess the suitability of the technology and cybersecurity capabilities and the risk management practices of prospective suppliers
ID: GV.SC-06.095
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

