Does your organization include critical suppliers in incident response exercises and simulations?
Explanation
Including critical suppliers in incident response exercises ensures coordinated response capabilities during security incidents that may involve or impact your supply chain. This practice helps identify communication gaps, clarify roles and responsibilities, and test the effectiveness of response procedures across organizational boundaries.
Evidence could include documentation of joint incident response exercises with suppliers, such as exercise plans, after-action reports, or meeting minutes that demonstrate supplier participation in tabletop exercises or simulations. Screenshots of collaborative incident management platforms showing supplier involvement would also serve as appropriate evidence.
Implementation Example
Include critical suppliers in incident response exercises and simulations
ID: GV.SC-08.105
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

