Schedule supply chain audits, as necessary.

Back

CONTROL ID
10015

CONTROL TYPE
Audits and Risk Management

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Commit to the supply chain due diligence process., CC ID: 08849

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

the dates of the most recent and next scheduled audits, where applicable; (4.11 55(f), Final Report on EBA Guidelines on outsourcing arrangements)
The programme takes different profiles into account and includes further information for posts and employees who have extensive authorisations or access to sensitive data. External employees of service providers and suppliers of the cloud provider, who contribute to the development or operation of t… (Section 5.3 HR-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Upon request of the cloud customer, the cloud provider provides information of the results, impacts and risks of these audits and assessments in an appropriate form. If necessary, unscheduled audits can be carried out by independent third parties. (Section 5.16 COM-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Audits must be scheduled inside of 30 days of the date the line-item summary was furnished or a new line-item summary will be required to conduct the audit. (§ A(I) Audit period and re-audit frequency ¶ 1, Conflict-Free Smelter (CFS) Program Supply Chain Transparency Smelter Audit Protocol for Tin, Tantalum and Tungsten, December 21, 2012)
Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted. (DM.ED-7, CRI Profile, v1.2)