More rigorous cybersecurity controls are implemented for higher priority suppliers and other third parties
Context and Guidance: Not all suppliers expose an organisation to the same level of risk. Since contractually imposing specific cybersecurity requirements can result in increased costs, consideration should be taken to ensure cybersecurity requirements are proportional to potential risk. Additional consideration should be given to high priority suppliers (THIRD-PARTIES-1c) because they supply, maintain, or operate critical software components that are essential to the operation of the function. The definition of a critical software component may vary widely depending on industry or critical infrastructure sector and may be informed by commonly used frameworks or control sets. For example, NIST provides a definition of critical software under Executive Order 14028 that some organisations may be required to adopt. The organisation should implement more rigorous cybersecurity controls if it is determined that the financial impact of a potential risk would be greater than the calculated cost of the risk.
Related Practices • Input From: Implementing THIRD-PARTIES-1d provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2c, THIRD-PARTIES-2e.