Does your organization have a documented process for terminating or transitioning supplier relationships that specifically addresses supply chain security risks and resilience?
Explanation
Secure supplier offboarding is what's being checked, namely whether you have a documented process for ending or transitioning supplier relationships that addresses supply chain security and resilience. Without proper termination/transition planning, organizations risk data breaches, service disruptions, or compliance violations during these critical periods.
Evidence could include a formal supplier offboarding policy document, transition plan templates that include security considerations, or completed supplier transition plans that demonstrate how security risks were addressed during previous supplier changes.
Implementation Example
Develop and execute a plan for terminating or transitioning supplier relationships that takes supply chain security risk and resiliency into account
ID: GV.SC-10.117
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

