Back

Document the organization's supply chain in the supply chain management program.


CONTROL ID
09958
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

This Control has the following implementation support Control(s):
  • Document supply chain dependencies in the supply chain management program., CC ID: 08900
  • Establish and maintain a Third Party Service Provider list., CC ID: 12480
  • Document supply chain transactions in the supply chain management program., CC ID: 08857
  • Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization., CC ID: 11558


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Suppliers of applications, ICT equipment and services associated with systems are identified. (Control: ISM-1631; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Suppliers of applications, ICT equipment and services associated with systems are identified. (Control: ISM-1631; Revision: 2, Australian Government Information Security Manual, September 2023)
  • The PRA expects firms to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced … (§ 9.3, SS2/21 Outsourcing and third party risk management, March 2021)
  • the organization's supply chain; (Disclosure 2-6 ¶ 1(b)(ii), GRI 2: General Disclosures, 2021)
  • In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential … (§ 1. Step 1. ¶ 1, GRI 3: Material Topics 2021)
  • A single third-party entity can represent all of these areas at the same time and impact the organization’s overall risk posture. The first step to understanding the risks posed by third parties is to know the scope of the business relationship or service provided by the third party. To identify e… (§ 5.1 ¶ 2, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • suppliers; (§ 6.3.3 ¶ 3 Bullet 3, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The organization shall determine and document how these activities will be controlled and integrated into the organization's IT asset management system. The organization shall determine: (Section 8.7 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • service components that are provided or operated by other parties; (§ 8.2.3.1 ¶ 4(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. (§ 4.3 ¶ 2 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Map available resources and supply systems in health and other sectors; conduct in-country inventory review of supplies based on WHO's a) Disease Commodity Package (DCP) and b) COVID-19 patient kit, and develop a central stock reserve for COVID-19 case management (Pillar 8 Step 1 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval. (DM.ED-2.5, CRI Profile, v1.2)
  • The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval. (DM.ED-2.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • A listing of all payment processing and clearing house settlement arrangements in which the financial institution participates. Include any bilateral retail payment clearing arrangements the institution may have with other institutions that are outside traditional clearing houses such as FedACH and … (App A Tier 1 Objectives and Procedures Objective 2:4 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Report to the Board. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material… (§ 748 Appendix A. III.F., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • The organization's role in the supply chain is identified and communicated (ID.BE-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's role in the supply chain is identified and communicated (ID.BE-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The organization's place in critical infrastructure and their industry sector is identified and communicated. (ID.BE-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Tracks, documents, and disseminates to relevant supply ICT chain participants changes to the provenance; (PV-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)