Does your organization have a formal process to monitor critical suppliers, services, and products for changes in their risk profiles and update their criticality assessments accordingly?
Explanation
Vendor risk treated as ongoing rather than one-and-done is the focus, specifically whether you monitor critical suppliers, services, and products for shifts in risk and update their criticality. Changes in a supplier's security posture, ownership, geographic location, or financial stability can significantly impact the risk they pose to your organization.
Evidence could include a documented supplier monitoring procedure, risk reassessment schedules, examples of updated risk profiles following significant supplier changes, meeting minutes from supplier review sessions, or reports from a third-party risk management platform showing regular monitoring activities.
Implementation Example
Monitor critical suppliers, services, and products for changes to their risk profiles, and reevaluate supplier criticality and risk impact accordingly
ID: GV.SC-07.101
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

