ID.RA-10.176

Does your organization conduct formal risk assessments of suppliers that evaluate both business requirements and cybersecurity controls, including supply chain security?

Explanation

Supplier risk assessments help identify vulnerabilities that could be introduced through third parties who have access to your systems or data. These assessments should evaluate suppliers against your organization's business requirements (e.g., service level agreements, financial stability) and cybersecurity requirements (e.g., data protection practices, security certifications, incident response capabilities). Supply chain security specifically examines how components, software, or services provided by suppliers could introduce security risks into your environment. Evidence of compliance could include documented supplier risk assessment procedures, completed assessment reports for key suppliers, a supplier risk register that tracks findings and remediation plans, or third-party security questionnaires that have been completed and evaluated.

Implementation Example

Conduct supplier risk assessments against business and applicable cybersecurity requirements, including the supply chain

ID: ID.RA-10.176

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Critical suppliers are assessed prior to acquisition

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub