SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
GV.SC: Supply Chain Risk Management
Supply Chain Risk Management Program
GV.SC-01: The program, strategy, objectives, policies, and processes for managing cybersecurity risks in the supply chain are established and accepted by the organization's stakeholders.
  • 1. Regarding the procurement of supplies with potential impacts on the security of information and network systems, including through the use of central procurement tools as per Annex I.1, Article 1, paragraph 1, letter i), of Legislative Decree March 31, 2023, no. 36, the following are provided for: a) the involvement of the cybersecurity organization referred to in measure GV.RR-02 in the definition and execution of procurement processes starting from the identification and design phase of the supply; b) in accordance with the results of the risk assessment associated with the supply referred to in measure GV.SC-07, the definition of security requirements for the supply consistent with the security measures applied by the NIS entity to information and network systems.
  • 2. For the security requirements referred to in point 1, letter b), the following areas are considered, where applicable, at least: a) supplier reliability, taking into account at least their specific vulnerabilities, the overall quality of their products and cybersecurity practices, especially regarding the object of the supply, the ability to guarantee supply, assistance and maintenance over time, as well as, where applicable, the results of coordinated risk assessments for the security of critical supply chains conducted by the NIS Cooperation Group; b) roles and responsibilities within the supply; c) reliability of human resources; d) compliance and security audits; e) vulnerability management; f) business continuity and disaster recovery; g) management of authentication, digital identities, and access control; h) physical security; i) personnel training and awareness; j) data security; k) protection of networks and communications; l) monitoring of security events including accesses and activities carried out; m) incident management and reporting; n) secure code development and security by design and by default; o) routine and evolutionary maintenance including security updates; p) supply decommissioning including data return and deletion; q) subcontracting, sub-supply or related potential security requirements along the supply chain.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

The program, strategy, objectives, policies, and processes for managing cybersecurity risks in the supply chain are established and accepted by the organization's stakeholders.

Third Party Roles and Responsibilities
GV.SC-02: Roles and responsibilities regarding cybersecurity for suppliers, clients, and partners are established, communicated, and coordinated internally and externally.
  • 1. Within the framework of the cybersecurity organization outlined in measure GV.RR-02, any roles and responsibilities concerning cybersecurity assigned to third-party staff are defined and disclosed to the relevant sections of the NIS entity.
  • 2. The staff mentioned in point 1 with specific roles and responsibilities is included in the list referred to in point 2 of measure GV.RR-02.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Roles and responsibilities regarding cybersecurity for suppliers, clients, and partners are established, communicated, and coordinated internally and externally.

Supplier Identification and Prioritization
GV.SC-04: Suppliers are identified and prioritized based on criticality.
  • 1. An updated inventory of suppliers is maintained, whose supplies have a potential impact on the security of information and network systems, which includes at least: a) the contact details of the supply representative; b) the type of supply.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Suppliers are identified and prioritized based on criticality.

Supplier Cybersecurity Risk Requirements
GV.SC-05: Requirements to address cybersecurity risks in the supply chain are established, prioritized and integrated into contracts and other types of agreements with suppliers and other relevant third parties.
  • 1. Subject to justified and documented regulatory or technical reasons, the security requirements referred to in measure GV.SC-01, point 1, letter b) are included in requests for proposals, calls for tender, contracts, agreements and conventions related to supplies with potential impact on the security of information and network systems.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Requirements to address cybersecurity risks in the supply chain are established, prioritized and integrated into contracts and other types of agreements with suppliers and other relevant third parties.

Third Party Risk Assessment
GV.SC-07: The risks posed by a supplier, its products and services, and other third parties are understood, recorded, prioritized, evaluated, managed, and monitored throughout the relationship.
  • 1. As part of the risk assessment referred to in measure ID.RA-05, the risk associated with supplies is assessed and documented. For this purpose, at least the following are evaluated: a) the supplier's level of access to the NIS entity's information and network systems; b) the supplier's access to intellectual property and data also based on their criticality; c) the impact of a severe supply interruption; d) the time and costs of recovery in case of service unavailability; e) the roles and responsibilities of the supplier in the governance of information and network systems.
  • 2. The compliance of supplies with the requirements of measure GV.SC-05 is periodically verified and documented.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

The risks posed by a supplier, its products and services, and other third parties are understood, recorded, prioritized, evaluated, managed, and monitored throughout the relationship.