GV.SC-07.101

Does your organization have a formal process to monitor critical suppliers, services, and products for changes in their risk profiles and update their criticality assessments accordingly?

Explanation

This question assesses whether your organization maintains ongoing visibility into supply chain risks rather than treating vendor risk as a one-time assessment. Changes in a supplier's security posture, ownership, geographic location, or financial stability can significantly impact the risk they pose to your organization. Evidence could include a documented supplier monitoring procedure, risk reassessment schedules, examples of updated risk profiles following significant supplier changes, meeting minutes from supplier review sessions, or reports from a third-party risk management platform showing regular monitoring activities.

Implementation Example

Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly

ID: GV.SC-07.101

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub