Question: Are suppliers required to report security incidents and cooperate in investigations?
Why This Matters
Timely breach notification from vendors limits damage and enables coordinated containment with regulators and customers.
Maturity
No incident reporting clauses or process.
Vendors inform only if major impact known.
Contract requires breach notification within set timeframe.
Standard template for vendor incident reporting and response review.
Vendor incidents auto-feed into internal IR workflow.
Joint exercises and post-incident lessons shared routinely.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |Add breach notification clause to new contracts.| | 1 → 2 |Define template for incident report (SLA, contact, impact).| | 2 → 3 |Test notification process annually.| | 3 → 4 |Integrate into incident ticketing system.| | 4 → 5 |Conduct joint post-mortems and share playbooks.|
Enablers
- People: CISO, Vendor Manager, Incident Response Lead
- Process: Notify → Validate → Contain → Review
- Technology: Ticketing system, portal, communication templates
Evidence
- Incident notification forms
- Response logs and timeline
- Post-incident report
KPIs
- Average time to vendor notification
- Number of joint IR exercises per year
- Percentage of vendors tested for notification workflow
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Ticketing | Zammad / Redmine | IR workflow integration | | Templates | Google Docs | Notification forms | | Tracking | Airtable | Vendor incident log |
Common Pitfalls
- Unclear notification timelines (e.g., “promptly”)
- Contact info outdated in contracts
- Post-incident findings not shared
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO/IEC 27001 | A.5.23 (Incident management with suppliers) | | NIST CSF 2.0 | DE.AE / RS.CO | | DPDP Act 2023 | Sec 8(6) — Breach notification by Processor | | NIRMATA Mapping | SC-Q06 ensures timely vendor incident reporting. |