The selection of suppliers and other third parties includes consideration of their cybersecurity qualifications, at least in an ad hoc manner
Context and Guidance: The cybersecurity qualifications for suppliers and other third parties might include, for example, maintaining a specified level of cybersecurity control implementation, previous cyber incidents involving the third party, background checks for personnel who have access to critical assets, and requirements for reporting breaches and other cybersecurity incidents.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2a, THIRD-PARTIES-2d.