Suppliers are known and prioritized by criticality
Most organizations have dozens or hundreds of vendors but only a handful that could cause catastrophic damage if compromised or unavailable. Knowing which suppliers are critical and why lets you focus your vendor risk effort where it actually matters. Without prioritization, you either assess everyone equally (expensive) or assess nobody (dangerous).
Implementation steps
- 1
Build a complete supplier inventory
Gather a list of all vendors, contractors, and service providers that have access to your systems, data, or networks, or that your operations depend on. Common sources include: IT asset lists, SSO provider app assignments, cloud billing accounts, procurement records, and engineering team tool lists. Aim for completeness over perfection.
oktagoogle-workspaceawsnotiongoogle-sheets - 2
Classify each supplier by criticality
For each supplier, score their criticality based on two factors: the sensitivity of the access they have (data type, system access level) and your dependency on them (would operations stop if they went away?). A supplier with production database access or one that processes customer PII is critical. A supplier that provides branded swag is not.
google-sheetsnotionservicenow - 3
Review and maintain the prioritized supplier list
Update the supplier inventory at least quarterly and whenever a significant new vendor is onboarded or an existing one expands their access. Critical suppliers should be reviewed more frequently than low-risk ones. The prioritization drives the depth of assessment and frequency of ongoing monitoring.
google-sheetsservicenownotion
Evidence required
Prioritized supplier inventory
A current list of all vendors with data or system access, classified by criticality level and kept up to date.
- · Vendor register with criticality ratings (critical, high, medium, low)
- · Third-party risk platform showing vendor inventory with risk scores
- · Spreadsheet of all SaaS tools with access level and data classification
Criticality classification criteria
A documented methodology for how suppliers are classified by criticality, so the classifications are consistent and reproducible.
- · Vendor risk classification matrix with scoring criteria
- · Third-party risk policy section defining criticality tiers
- · Assessment questionnaire that drives criticality classification
Related controls
A cybersecurity supply chain risk management program is established
Cybersecurity Supply Chain Risk Management
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
Cybersecurity Supply Chain Risk Management
Due diligence is performed before entering into supplier relationships
Cybersecurity Supply Chain Risk Management
Risks from suppliers are assessed, monitored, and responded to throughout the relationship
Cybersecurity Supply Chain Risk Management