T7.8.2 - SUPPLIER REVIEW Implementation Guidance
The entity shall conduct a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.
Back to T7.8.2 - P4 - SUPPLIER REVIEWS
Supplier reviews include, for example:
- A. Analysis of supplier processes used to design, develop, test, implement, verify, deliver, and support information systems, system components, and information system services
- B. Assessment of supplier training and experience in developing systems, components, or services with the required security capability
These reviews provide entities with increased levels of visibility into supplier activities during the system development life cycle to promote more effective supply chain risk management. Supplier reviews can also help to determine whether primary suppliers have security controls in place and a practice for vetting subordinate suppliers, for example, second- and third-tier suppliers, and any subcontractors.
Back to T7.8.2 - P4 - SUPPLIER REVIEWS
