Does your organization adjust third-party assessment formats and frequencies based on the vendor's reputation and the criticality of their products or services?
Explanation
Risk-based vendor assessment is what this examines, specifically whether you adjust the format and frequency of third-party reviews according to a vendor's reputation and how critical their products or services are.
Higher-risk vendors providing critical services should undergo more rigorous and frequent assessments than lower-risk vendors.
For example, a cloud provider hosting sensitive customer data might require quarterly comprehensive assessments, while an office supply vendor might only need an annual lightweight review.
Evidence could include a documented third-party risk management framework that defines different assessment tiers, frequencies, and formats based on vendor criticality and reputation scores. This might be a matrix showing how assessment depth and frequency increases with risk level, along with examples of different questionnaires or assessment templates used for various vendor categories.
Implementation Example
Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide
ID: GV.SC-07.098
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

