Do you assess and contractually require cybersecurity practices from your direct suppliers and service providers (Art 21.2.d)?
Demonstrate that the organization conducts documented cybersecurity assessments of direct suppliers and service providers and enforces cybersecurity obligations through binding contractual terms.
Description
What this control does
This control requires organizations to systematically evaluate the cybersecurity maturity and practices of their direct suppliers and service providers, and to embed mandatory cybersecurity requirements into contractual agreements. Organizations must perform due diligence assessments before onboarding third parties, monitor their ongoing compliance, and ensure contracts include enforceable clauses covering data protection, incident notification, audit rights, and liability. This control is critical under NIS2 Article 21.2.d, which mandates supply chain risk management as part of minimum cybersecurity measures for essential and important entities.
Control objective
What auditing this proves
Demonstrate that the organization conducts documented cybersecurity assessments of direct suppliers and service providers and enforces cybersecurity obligations through binding contractual terms.
Associated risks
Risks this control addresses
- Third-party data breach exposing customer or operational data due to inadequate supplier security controls
- Supply chain compromise introducing malware, backdoors, or vulnerable components into production systems
- Delayed incident detection and response when suppliers fail to notify the organization of security events
- Regulatory non-compliance and penalties when suppliers' security failures result in breaches affecting NIS2-covered services
- Loss of audit trail and forensic capability when suppliers lack logging, monitoring, or evidence retention mechanisms
- Unauthorized subcontracting or fourth-party risk exposure without visibility or contractual oversight
- Inability to terminate or remediate supplier relationships due to insufficient contractual exit and security breach clauses
Testing procedure
How an auditor verifies this control
- Obtain the organization's supplier and service provider inventory, filtering for those with access to sensitive data, critical systems, or service delivery functions.
- Review the supplier risk assessment methodology, including cybersecurity evaluation criteria, scoring mechanisms, and approval workflows.
- Select a representative sample of at least five direct suppliers or service providers across different risk tiers and service categories.
- Examine pre-contract cybersecurity assessment records for each sampled supplier, verifying completion of security questionnaires, certifications review, or on-site audits.
- Retrieve executed contracts or master service agreements for sampled suppliers and identify clauses addressing information security, data protection, incident notification timelines, audit rights, and breach liability.
- Verify that contracts require suppliers to comply with applicable cybersecurity standards (ISO 27001, SOC 2, NIS2 requirements) and mandate notification of security incidents within defined timeframes.
- Interview procurement and vendor management personnel to confirm assessment processes are followed consistently and that non-compliant suppliers are flagged or rejected.
- Check for evidence of periodic re-assessment or ongoing monitoring activities, such as annual security reviews, certification renewals, or security scorecard updates for active suppliers.