Back

Document and maintain supply chain processes.


CONTROL ID
08816
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: (4.7 42, Final Report on EBA Guidelines on outsourcing arrangements)
  • Identification of dependencies, including the processes (incl. the resources required for this), applications, business partners and third parties (Section 5.14 BCM-02 Basic requirement ¶ 2 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Companies in the supply chain should create internal documentation and records of supply chain due diligence processes, findings, and decisions. (Supplement on Gold Step 1: § I.C.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The types of activities undertaken by those with which it has business relationships (e.g., manufacturing the organization's products, providing security services to the organization). (§ 1. Step 1. Business Relationships ¶ 1 Bullet 2, GRI 3: Material Topics 2021)
  • Records shall be maintained for suppliers which meet the criteria. (§ 4.1.3.a, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Products that are procured for commercial use or industrial use and are delivered from the manufacturer to the authorized distributor are not normally required to contain formal certificates of conformance, and usually contains a commercially acceptable packing list that is maintained in the distrib… (App C § C.2.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • In evaluating the appropriateness of the subject matter when determining whether to accept or continue a SOC 2® examination, relevant matters to consider may include the functions performed by the system, how subservice organizations are used, how information about subservice organizations will be … (¶ 2.46, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)