STA-07: Supply Chain Inventory

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Develop and maintain an inventory of all supply chain relationships.

Implementation Guidance

Both the CSP and CSC should develop, manage and maintain a comprehensive inventory of all supply chain relationships (i.e., third-party product and service providers) involved in implementing, operating, and securing their respective cloud service implementations. This process should include assembling, tracking, and maintaining key organizational roles, contracts, contacts, and risk-related information about each third party in the supply chain regularly (and when significant changes occur) to facilitate supply chain risk management practices.

Auditing Guidance

  1. Determine if there is an inventory maintained of all supply chain relationships.
  2. Establish ownership for maintaining this inventory.
  3. Examine the inventory's records to establish whether CSP/CSC relationships are maintained in this inventory.
  4. Determine whether this inventory is subject to review.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.