STA-08: Supply Chain Risk Management

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: STA-06: Supply Chain Governance Reviews, STA-08: Third Party Assessment.

Control Statement

CSPs periodically review risk factors associated with all organizations within their supply chain.

Implementation Guidance

Both the CSP and CSC should follow applicable local and international third-party risk management (TPRM) best practices in managing supply chain risks, including periodic reviews of organizational and technical risk factors, contract requirements, environmental changes, and security incident response capabilities for all supply chain organizations. There may also be applicable regulatory requirements and standards to consider.

Auditing Guidance

  1. Examine the policy related to identification of risks related to external parties and determine if the organization conducts due diligence of the external party.
  2. Determine if the policy/control requirements stipulated in the policy level have been implemented.
  3. Determine the periodicity of review of risk factors.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.