J. Supply Chain Management
This domain covers the processes and controls you have in place to ensure the security risk from your supply chain is mitigated.
00) Does your organisation share client data with any third parties, or rely on any third parties to deliver critical services?
Answer yes if your organisation shares any client data with any third parties, which may include sub-processors, or if your organisation relies on any third parties to deliver critical services.
01) Does your organisation have formal agreements in place to control third party use of data that include GDPR requirements?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the relevant requirements of GDPR.
02) Does your organisation have formal agreements in place that mandate suppliers (and downstream suppliers) must have implemented a defined level of information security?
Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that mandates them to have implemented a defined level of information security controls.
03) Does your organisation conduct a business impact assessment for each supplier and give them a corresponding criticality rating?
Answer yes if your organisation assigns each supplier with a criticality rating that is based on a corresponding business impact assessment.
04) Does your organisation have a supplier security policy that outlines the security requirements that your suppliers are expected to meet?
Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!
05) Does your organisation conduct security due diligence against suppliers before entering into a contract?
Answer yes if your organisation conducts relevant security due diligence against each supplier that it works with. The Risk Ledger platform can be used for this - get in touch!
06) Does your organisation conduct regular assurance activities against suppliers to ensure they are meeting their information security requirements?
Answer yes if your organisation conducts annual security assurance against its suppliers to make sure they are meeting their security requirements. The Risk Ledger platform can be used for this - get in touch!