STA-10: Supply Chain Agreement Review

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Review supply chain agreements between CSPs and CSCs at least annually.

Implementation Guidance

Reviews should include activities to identify non-conformance with contractual requirements and SLAs for services a CSP provides. If non-conformance issues are identified, the parties involved should negotiate and remediate the problems.

Auditing Guidance

  1. Determine if a documented review schedule of CSP-CSC supply chain agreements exists on an annual basis and is operating.
  2. Examine the organization's implementation of its third-party management policy.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.