Has your organization established and maintained a comprehensive inventory of all external dependencies and their relationships to critical assets and business functions?
Explanation
This inventory should document all third-party services, utilities, cloud providers, and other external resources your organization relies on to operate. It should map how these dependencies connect to your critical assets (like data, systems, and infrastructure) and business functions (like operations, finance, or customer service).
An acceptable deliverable would be a structured document or database that lists all external dependencies with details including: the dependency name, service provided, criticality level, associated internal assets/systems, related business functions, contract information, and contingency plans in case of service disruption.
This could be maintained in a spreadsheet, CMDB (Configuration Management Database), or GRC (Governance, Risk, and Compliance) platform.
Implementation Example
Create an inventory of the organization's dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
ID: GV.OC-05.010
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Outcomes, capabilities, and services that the organization depends on are understood and communicated
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?

