Acceptance testing of procured assets includes consideration of cybersecurity requirements
Context and Guidance: When the third party is responsible for producing or delivering assets to the organisation, the monitoring process should include inspection/testing of the assets to ensure that they meet all stated specifications, including cybersecurity requirements. For example, if there is a requirement to remove all software components that are not required for the operation and/or maintenance of the procured product (games, source code, unused drivers), upon receipt the product could be tested for the inclusion of these components.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2b, THIRD-PARTIES-2i, THIRD-PARTIES-2j, THIRD-PARTIES-2k, THIRD-PARTIES-2l, THIRD-PARTIES-2m.