Has your organization identified, documented, and communicated external dependencies that could serve as potential points of failure for critical capabilities and services?
Explanation
External dependencies such as third-party vendors, cloud service providers, utility services, or supply chain partners can create vulnerabilities that impact critical business operations. Identifying these dependencies helps organizations understand their complete risk landscape and develop appropriate contingency plans.
Evidence could include a documented dependency map or register that identifies critical external services, their potential impact on operations if disrupted, and contact information for key personnel. This document should be regularly reviewed and shared with relevant stakeholders responsible for business continuity and risk management.
Implementation Example
Identify and document external dependencies that are potential points of failure for the organization's critical capabilities and services, and share that information with appropriate personnel
ID: GV.OC-05.011
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Outcomes, capabilities, and services that the organization depends on are understood and communicated
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?

