Has your organization established formal incident response communication protocols with suppliers that define rules for reporting incidents, recovery activities, and status updates?
Explanation
Coordinated incident communication with suppliers is the focus, specifically whether you have formal protocols defining how incidents, recovery activities, and status updates are reported between you. Effective supplier communication protocols help minimize incident impact by establishing when and how suppliers should report incidents that may affect your organization, and how your organization communicates incidents that may impact suppliers.
Evidence could include a documented Supplier Incident Communication Plan, communication templates for different incident types, contact matrices for key supplier security personnel, or sections in supplier contracts that specify incident reporting requirements and timeframes.
Implementation Example
Define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers
ID: GV.SC-08.103
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

