Relevant suppliers are included in incident planning, response, and recovery activities
Incidents rarely stay within your own perimeter. A breach at a key supplier can trigger your incident response, and your own incident may require coordinated action with vendors who have access to your systems. If suppliers are not part of your incident planning, you will be negotiating access revocation, notification procedures, and forensic cooperation in the middle of a crisis.
Implementation steps
- 1
Identify suppliers that must be involved in incident scenarios
For each major incident scenario in your incident response plan, identify which suppliers would need to be notified, engaged, or whose access would need to be revoked. A ransomware event might require contacting your managed security service provider and cloud provider. A data breach involving a SaaS tool requires notifying that vendor and possibly involving them in investigation.
confluencenotion - 2
Include supplier contact information and procedures in the IR plan
For each relevant supplier identified above, document: the emergency contact name and number, the contractual notification obligations (what you owe them and what they owe you), their incident response team contact, and any special procedures for revoking their access. This information needs to be findable in under five minutes during an incident.
confluencenotionpagerduty - 3
Test supplier coordination in tabletop exercises
At least annually, include supplier notification and coordination as a scenario in a tabletop exercise. Walk through the steps: who calls the vendor, what do you tell them, how do you coordinate the forensic investigation. Identify gaps in contact information, notification procedures, or contractual obligations before a real incident reveals them.
Evidence required
Incident response plan with supplier coordination section
An incident response plan that explicitly covers how and when to engage relevant suppliers, with current contact information.
- · IR plan appendix listing critical vendor contacts and notification procedures
- · Supplier escalation matrix included in the IR runbook
- · Tabletop exercise scenario involving vendor coordination
Supplier contact directory
A current, accessible list of security and incident response contacts for critical vendors.
- · Vendor emergency contact list in the IR plan or runbook
- · PagerDuty or similar tool with vendor escalation contacts
- · Secure document listing vendor CISO or security operations contacts
Related controls
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
Cybersecurity Supply Chain Risk Management
A cybersecurity supply chain risk management program is established
Cybersecurity Supply Chain Risk Management
Suppliers are known and prioritized by criticality
Cybersecurity Supply Chain Risk Management
Supply chain risk management plans include provisions for activities after a supplier relationship ends
Cybersecurity Supply Chain Risk Management