Logistics Integration Security & Resilience Assessment Form

Provider entity name

Primary service category

Project code or internal ticket

Is this a critical-path supplier (Tier-0 or Tier-1)?

Describe contingency plan if this provider fails:

Which external security certifications does the provider currently hold?

Is the provider willing to share the latest external audit summary?

Explain why and propose compensating controls:

Security governance model used by provider

Does the provider maintain a NIST-aligned ISMS?

Most recent NIST CSF maturity score (0-4):

Categories of data exchanged (select all that apply)

Will any data be stored outside your primary region?

List jurisdictions and mechanism used (e.g. SCC, BCR):

Is data encrypted in transit with TLS 1.3 or higher?

Describe current cipher suites and upgrade roadmap:

Is data encrypted at rest using AES-256 or equivalent?

Detail algorithm, key rotation frequency, and HSM usage:

Authentication mechanism for API and dashboard access

Is MFA mandatory for all privileged accounts?

List compensating controls (e.g. IP whitelisting, hardware tokens):

Maximum privilege access duration (in hours) before automatic re-authorisation

Are service accounts rotated at least every 90 days?

Provide rotation frequency and process:

Is the provider’s production network segmented from corporate IT?

Explain isolation approach or compensating controls:

Are production APIs protected by a WAF with OWASP Top-10 ruleset?

Detail WAF vendor, rule update cadence, and custom rules:

Are external penetration tests conducted at least annually?

Most recent test completion date:

Explain rationale and alternative assurance activities:

Is a bug-bounty or responsible-disclosure program active?

Program URL or contact:

Provider’s committed RPO (Recovery Point Objective) in minutes

Provider’s committed RTO (Recovery Time Objective) in minutes

Is there a documented failover to a secondary region/cloud?

Describe current redundancy model:

Are backups immutable (WORM or equivalent)?

Detail backup protection mechanism:

Has the provider tested DR in the last 12 months?

Explain why and next test date:

Is Infrastructure-as-Code (IaC) used for all production changes?

Describe manual processes and risk mitigation:

Are container images scanned for CVEs before deployment?

Detail scanning tools, CVSS threshold, and waiver process:

CI/CD pipeline maturity level

Are canary/blue-green deployments used for critical services?

Explain current deployment strategy and rollback time:

Is a post-mortem culture enforced for Sev-1 incidents?

Average closure time for RCAs (days):

Are security logs forwarded to a SIEM with 24×7 SOC?

Detail log retention, encryption, and review frequency:

Log retention period (days) for transactional data

Is real-time anomaly detection enabled for API abuse?

Describe detection mechanisms and false-positive rate:

Will the provider share raw logs with your team under NDA?

Explain restrictions or aggregation policies:

Do contractual terms grant you audit rights (right to audit)?

Explain restriction and any third-party attestation substitution:

Is the provider prohibited from sub-processing without consent?

Detail sub-processor management process:

Are there financial penalties for SLA breaches (security-related)?

Penalty as % of monthly fees or fixed amount:

Can the provider produce an SBOM for all delivered software?

Explain plan to achieve SBOM generation:

Are third-party libraries scanned for vulnerabilities weekly?

Detail scanning cadence and escalation path:

Is the provider compliant with EO 14028 or equivalent supply-chain standard?

List current gaps and remediation timeline:

Please rate the likelihood and impact of the following risks (1 = Very Low, 5 = Critical)

Summarise the top three residual risks and mitigations:

Do you attest that all answers are accurate to the best of your knowledge?

Authorised signatory