Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
Explanation
Contractual security obligations are the focus here: reviewers want a formal process to track and manage the cybersecurity requirements written into agreements with suppliers, customers, and partners. Such a process ensures that security requirements are clearly defined, communicated, and maintained throughout the relationship lifecycle with third parties who may access, process, or store your sensitive information.
Evidence could include a documented procedure for contract management that specifically addresses cybersecurity requirements, a contract management system with cybersecurity tracking capabilities, sample contracts with security clauses, or reports showing regular reviews of third-party compliance with contractual security obligations.
Implementation Example
Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information
ID: GV.OC-03.005
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

