gv-sc-6 high Govern / Cybersecurity Supply Chain Risk Management

Due diligence is performed before entering into supplier relationships

The cheapest time to find a security problem with a vendor is before you sign a contract. Once a supplier is embedded in your operations, replacing them is costly and slow. Pre-contract due diligence lets you disqualify high-risk vendors, negotiate better security terms before you have no leverage, or accept a risk with eyes open rather than discover it during an audit.

Estimated effort: 4h

supply-chaindue-diligencevendor-assessmentprocurementthird-party-risk

Complete first: gv-sc-4

Implementation steps

1

Define the pre-contract security review process

For each vendor criticality tier, define what security review is required before a contract is signed. Critical vendors might require a full security questionnaire review plus review of a SOC 2 report. High-risk vendors might require a questionnaire only. Low-risk vendors might require just a data classification check. Document the process so procurement can follow it consistently.

confluencenotionjira
2

Conduct pre-contract security assessments

Send the appropriate security questionnaire to prospective vendors and review their responses. For critical vendors, also review their most recent SOC 2 Type II or equivalent report, check for any public breach disclosures, and assess their security posture through tools if available. Summarize findings and any open risks.

whisticsecurityscorecardbitsightpanorays
3

Document the review outcome and risk acceptance decision

Record the results of every vendor security review, including what was assessed, what was found, and the decision (approve, approve with conditions, or reject). For approved vendors with open issues, document the compensating controls or risk acceptance. This record protects you in audits and provides context for future reviews.

servicenowjiranotiongoogle-sheets