Does your organization conduct formal lessons learned sessions with critical suppliers following significant projects, incidents, or on a regular cadence?
Explanation
Collaborative lessons learned sessions with critical suppliers help identify areas for improvement in security practices, communication protocols, and incident response procedures. These sessions can uncover vulnerabilities in the supply chain, establish better coordination mechanisms, and strengthen relationships with key suppliers who may have access to sensitive systems or data.
Evidence of fulfillment could include meeting minutes or reports from lessons learned sessions, documented action items resulting from these sessions, a formal process document outlining how and when these sessions are conducted, or a schedule of planned and completed supplier review meetings that include lessons learned components.
Implementation Example
Conduct collaborative lessons learned sessions with critical suppliers
ID: GV.SC-08.107
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

