GV.SC-07.100
Does your organization regularly monitor critical suppliers' compliance with security obligations through inspections, audits, tests, or other evaluation methods?
Explanation
This question assesses whether you have an active program to verify that your critical suppliers maintain their security commitments throughout your relationship. Effective supplier monitoring helps identify security gaps before they lead to incidents and ensures continuous compliance with your security requirements. Evidence could include a supplier monitoring schedule, recent audit reports of critical suppliers, documentation of security inspections, test results, or corrective action plans resulting from supplier evaluations. A comprehensive supplier security monitoring program typically includes defined evaluation criteria, scheduled assessment activities, and processes for addressing identified deficiencies.
Implementation Example
Monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle using a variety of methods and techniques, such as inspections, audits, tests, or other forms of evaluation
ID: GV.SC-07.100
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
