GV.SC-07.099

Does your organization have a formal process to collect and evaluate evidence of third-party compliance with contractual cybersecurity requirements?

Explanation

This question assesses whether your organization systematically verifies that third parties are meeting the cybersecurity requirements specified in contracts. This includes collecting and evaluating documentation such as self-attestations, warranties, certifications (like SOC 2, ISO 27001), audit reports, and security questionnaire responses from vendors and partners. Evidence of fulfillment could include a documented third-party compliance verification process, a vendor management system that tracks compliance artifacts, sample compliance review reports, or a register of third-party certifications with expiration dates and compliance status.

Implementation Example

Evaluate third parties' evidence of compliance with contractual cybersecurity requirements, such as self-attestations, warranties, certifications, and other artifacts

ID: GV.SC-07.099

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub