See it in Action

Questions

How Often Should Supplier Risk Assessments Be Conducted?

How Often Should Supplier Risk Assessments Be Conducted?How Often Should Supplier Risk Assessments Be Conducted?
0
Vote Up
Vote Down
Rebecca KappelRebecca Kappel Staff asked 4 months ago

1 Answers
0
Vote Up
Vote Down
Rebecca KappelRebecca Kappel Staff answered 4 months ago

Supplier Risk Assessment Frequency

The NIST Cybersecurity Framework (CSF) guidance suggests the following practices for supply chain risk assessment management:

Further Reading: The Definitive Guide to Supply Chain Risk Assessments 

  • Test and Assessment Period for New Suppliers:

      • New suppliers should enter a test and supplier risk assessment period to evaluate their capabilities and compliance with various requirements before actively joining the supply chain.
      • In high-risk areas, suppliers might undergo a series of pilots before fully integrating into the supply chain.

  • Survey Alignment for Tier 1 Suppliers:

      • Tier 1 suppliers are required to provide their suppliers with the same survey that the Original Equipment Manufacturer (OEM) requires of them. This implies a consistent approach to assessing and managing risks across the supply chain tiers.

  • Establishment of Approved Vendor Lists:

      • Approved vendor lists are established for manufacturing partners, indicating a pre-approved list of suppliers that meet specific criteria. This helps ensure that only vendors meeting certain standards are engaged in the supply chain.

  • Quarterly Reviews of Supplier Performance:

      • Quarterly reviews of supplier performance are conducted among a stakeholder group. This suggests a regular supplier evaluation risk rating to monitor and evaluate supplier performance risk systems on an ongoing basis.

  • Annual Supplier Meetings:

    • Annual supplier meetings are conducted to ensure that suppliers understand the customers’ business needs, concerns, and security priorities. These meetings provide a forum for communication and collaboration between customers and suppliers.

Based on the practices outlined in the guidance, the frequency of supplier risk assessments can be inferred as follows:

  • New suppliers undergo assessments during a test and assessment period.
  • Tier 1 suppliers and their downstream suppliers undergo regular assessments through surveys.
  • Quarterly reviews of supplier performance indicate ongoing, frequent assessments.

The specific frequency for each type of assessment may vary based on the organization’s risk management strategy, the nature of the supply chain, and the criticality of the goods or services provided by the suppliers. It’s important to adapt the frequency based on the organization’s risk appetite.

Related Content

AI Auditing

AI Auditing

What is an AI Audit? AI audits determine whether an AI system and its supporting algorithms…
Data Exfiltration

Data Exfiltration

What Is Data Exfiltration? Data exfiltration is the unauthorized removal or moving of data from or…
Data Sovereignty

Data Sovereignty

What is Data Sovereignty? Data sovereignty asserts that digital data is subject to the laws of…

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

USE CASES

STANDARDS

INDUSTRIES

PARTNERS

RESOURCES

ABOUT

GUIDES

© Copyright 2024 by Centraleyes Tech Ltd | Privacy Policy

Sign up for our Centraleyes
Intelligence Report

500 7th Avenue New York, NY 10018

Contact Us

PLATFORM

STANDARDS

INDUSTRIES

USE CASES

ABOUT

RESOURCES

GUIDES

PARTNERS

© Copyright 2024 by Centraleyes Tech Ltd |  Privacy Policy
Watch
Demo
Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content