GV.SC-07.098
Does your organization adjust third-party assessment formats and frequencies based on the vendor's reputation and the criticality of their products or services?
Explanation
This question evaluates whether your organization tailors its third-party risk management approach rather than using a one-size-fits-all method. Higher-risk vendors providing critical services should undergo more rigorous and frequent assessments than lower-risk vendors. For example, a cloud provider hosting sensitive customer data might require quarterly comprehensive assessments, while an office supply vendor might only need an annual lightweight review. Evidence could include a documented third-party risk management framework that defines different assessment tiers, frequencies, and formats based on vendor criticality and reputation scores. This might be a matrix showing how assessment depth and frequency increases with risk level, along with examples of different questionnaires or assessment templates used for various vendor categories.
Implementation Example
Adjust assessment formats and frequencies based on the third party's reputation and the criticality of the products or services they provide
ID: GV.SC-07.098
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
