Risk management of third parties (vendor)
How to assess and manage risks in the supply chain.
NIS2 emphasises the security of the supplier chain as part of cybersecurity risk management. The organisation must assess not only its systems but also its direct suppliers and service providers.
- Supplier accounts
A current list of suppliers shall be maintained, indicating their access to systems, data and critical processes. - Risk classification
Classification of suppliers by impact level: critical, high, medium or low. - Safety assessment
Checks the supplier's security practices, vulnerability management, certification procedures such as ISO 27001 or SOC 2, and safe development procedures. - Contractual requirements
Contracts shall include requirements on confidentiality, data protection, incident reporting, audit rights and access control. - Continuous monitoring
The security situation of suppliers, incidents, new vulnerabilities and compliance shall be reviewed regularly. - Termination
Ensures the recovery or deletion of data, the withdrawal of access rights and the suspension of integration.
Essential: In the context of NIS2, the safety of suppliers is not a one-off test but a continuous risk management process.