A defined method is followed to evaluate and select suppliers and other third parties
Context and Guidance: Using a defined method for evaluation and selection of third parties helps makes that process consistent and repeatable. For example, a part of the defined method could describe how the organisation will review supplier responses to requests for proposals (RFPs) to determine if the supplier meets the necessary requirements. This may include consideration of cybersecurity qualifications, legal standing, financial wellbeing, and relationships to foreign governments. Sources of information may include attestations provided by third parties (e.g., attestation of the suitability and effectiveness of the cybersecurity control environment) and vetting based on track record, information from third party rating services, and open-source information.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2a, THIRD-PARTIES-2d.