CSPs periodically review risk factors associated with all organizations within their supply chain.
Both the CSP and CSC should follow applicable local and international third-party risk management (TPRM) best practices in managing supply chain risks, including periodic reviews of organizational and technical risk factors, contract requirements, environmental changes, and security incident response capabilities for all supply chain organizations. There may also be applicable regulatory requirements and standards to consider.
- Examine the policy related to identification of risks related to external parties and determine if the organization conducts due diligence of the external party.
- Determine if the policy/control requirements stipulated in the policy level have been implemented.
- Determine the periodicity of review of risk factors.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.