Back

Establish and maintain a supply chain due diligence report.


CONTROL ID
08824
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Follow reliable due diligence processes when creating the annual supply chain due diligence report., CC ID: 08826
  • Disseminate and communicate supply chain due diligence report information to the public., CC ID: 08827
  • Submit the supply chain due diligence report., CC ID: 08828


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Due diligence undertaken during the assessment process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements. The due diligence process may vary depending on the nature, and extent of risk of the arrangement and impact to the i… (5.4.5, Guidelines on Outsourcing)
  • The programme takes different profiles into account and includes further information for posts and employees who have extensive authorisations or access to sensitive data. External employees of service providers and suppliers of the cloud provider, who contribute to the development or operation of t… (Section 5.3 HR-03 Description of additional requirements (confidentiality and availability) ΒΆ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization may consider having upstream companies cooperate in building the capabilities of suppliers to conduct due diligence for mineral supply chains from conflict-affected and high-risk areas as part of its risk mitigation measures. (Annex III - Table Supply Chain Policy - Bribery and Fraudulent Misrepresentation on Mineral Origin, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • When reviewing information provided by the institution's third-party providers, determine the adequacy of third-party provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Work with the examiner reviewing the third-party mana… (App A Objective 12:17, FFIEC Information Technology Examination Handbook - Management, November 2015)