The organization shall maintain a structured process to review, evaluate and update its supply chain security policy through both event-driven and planned activities. The policy should remain effective, relevant and aligned with the organization’s supplier landscape, risk exposure, regulatory obligations and business needs. The process should include:
- A review of the supply chain security policy following significant supplier-related security incidents, major changes in supplier operations, material shifts in risk, or at defined recurring intervals.
- An evaluation of whether incidents, changes, or periodic assessments reveal gaps, weaknesses, or unclear expectations in the existing policy.
- An assessment of the impact of changes in supplier and service provider cybersecurity practices, services, access levels, or dependencies on the organization’s risk profile.
- Consideration of the relevant changes in regulations, internal security objectives, and operational requirements as part of the review.
- A determination of whether policy updates, additional requirements, or corrective actions are necessary based on the evaluation.
- Outcomes of each review should be documented. This should include decisions taken, required updates, and assigned responsibilities.
- The supply chain security policy should be updated as needed. Changes should be communicated to relevant internal stakeholders.
This approach ensure lessons learned from incidents and changes, as well as ongoing business and risk developments, are systematically reflected in the supply chain security policy to reduce the likelihood of recurring issues while maintaining effective governance processes overall.
.svg)
