Third parties are prioritised according to established criteria (for example, importance to the delivery of the function, impact of a compromise or disruption, ability to negotiate cybersecurity requirements within contracts)
Context and Guidance: Prioritisation of third parties establishes one or more subsets of entities on which the organisation must focus its cybersecurity activities due to defined criteria, such as their importance to the delivery of the function or their role as a critical supplier. The prioritization and criteria should ensure that the prioritization scheme and the list of prioritised third parties are appropriate for the organisation’s risk environment and tolerance. Failure to prioritise third parties may lead to inadequate protection of important assets and disproportionate attention and resources devoted to third parties with limited potential impact on the function.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-1a, THIRD-PARTIES-1b, THIRD-PARTIES-1c, THIRD-PARTIES-1d, THIRD-PARTIES-1e, THIRD-PARTIES-1f.