IVI Framework Viewer

Supplier Security

A6

Define security requirements pertaining to the procurement and supply of hardware, software, services, and data.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Supplier Security at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Include basic information security requirements and expectations in procurement activities.
    Outcome
    There is increased participation by key third parties and business partners in securing the organization's assets.
    Metric
    # Security requirements and questions included in key procurement documents such as RFIs; # Suppliers complying with security requirements # Security incidents involving suppliers
3Intermediate
  • Practice
    Define detailed security requirements for suppliers using a structured approach and ensure adherence to them in major procurements.
    Outcome
    There is increased understanding by suppliers of expected security reducing risk of security breaches.
    Metric
    # Suppliers complying with security requirements # Audits of suppliers # Identified breaches of requirements # of security incidents involving suppliers
4Advanced
  • Practice
    Review detailed security requirements for suppliers regularly and ensure adherence to them in all procurement activities.
    Outcome
    Supplier security is up-to-date and relevant to current business activities and priorities; there is increased confidence that security requirements are being complied with.
    Metric
    # Suppliers complying with security requirements # Audits of suppliers # Identified breaches of requirements # Security incidents involving suppliers
5Optimized
  • Practice
    Define, review and update supplier information security requirements regularly across the business ecosystem.
    Outcome
    A consistent and up-to-date approach to security is applied across the supply chain with less risk of overly strong security or failure due to weakest link.
    Metric
    # Audits of suppliers # Identified breaches of requirements; # Security incidents involving suppliers