Answer yes if your organisation has documented the baseline level of security controls that it expects its suppliers of different criticalities to adhere to. The Risk Ledger platform can be used for this - get in touch!
In the previous control (I3) we assigned a criticality status to each supplier. This control (I4) makes sure that you have defined the security requirements you expect your suppliers of each classification to meet. The higher the criticality of the supplier, typically the more comprehensive security requirements they have to meet.
This control is important as it aligns you and your supplier’s security requirements and transparently tells the supplier what level of security they have to have implemented in order to do business with your organisation. The requirements should be specific and actionable.
This policy can be implemented using a word or excel based document, or it can be done through Risk Ledger using our Policies tool.
We recommend that you onboard onto Risk Ledger and use the platform to complete all of your supply chain security policies – it is easy to use and maintain and free! Using the platform you can define your security policies and add your suppliers to automatically comply with controls I3, I4, I5 and I6.
A template policy for a small organisation can be requested at support@riskledger.com.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.