This form evaluates whether adding the proposed logistics provider introduces cyber risk or resilience gaps. Please answer accurately; all data is used only for risk assessment.
Provider entity name
Primary service category
Project code or internal ticket
Is this a critical-path supplier (Tier-0 or Tier-1)?
Which external security certifications does the provider currently hold?
ISO 27001
SOC 2 Type II
PCI-DSS
GDPR/Schrems compliance attestation
TAPA FSR/TSR
C-TPAT
AEO
None
Other
Is the provider willing to share the latest external audit summary?
Security governance model used by provider
Central CISO office
Regional security officers
Third-party managed security service
No formal model
Does the provider maintain a NIST-aligned ISMS?
Categories of data exchanged (select all that apply)
Order metadata
Personal identifiable information (PII)
Payment data
Real-time GPS telemetry
Temperature sensor data
Customer email/phone
None of the above
Will any data be stored outside your primary region?
Is data encrypted in transit with TLS 1.3 or higher?
Is data encrypted at rest using AES-256 or equivalent?
Authentication mechanism for API and dashboard access
OAuth 2.0+ MFA
SAML SSO
API keys only
Username/password only
Other
Is MFA mandatory for all privileged accounts?
Maximum privilege access duration (in hours) before automatic re-authorisation
Are service accounts rotated at least every 90 days?
Is the provider’s production network segmented from corporate IT?
Are production APIs protected by a WAF with OWASP Top-10 ruleset?
Are external penetration tests conducted at least annually?
Is a bug-bounty or responsible-disclosure program active?
Provider’s committed RPO (Recovery Point Objective) in minutes
Provider’s committed RTO (Recovery Time Objective) in minutes
Is there a documented failover to a secondary region/cloud?
Are backups immutable (WORM or equivalent)?
Has the provider tested DR in the last 12 months?
Is Infrastructure-as-Code (IaC) used for all production changes?
Are container images scanned for CVEs before deployment?
CI/CD pipeline maturity level
Fully automated with gated approvals
Semi-automated with manual stages
Primarily manual
No formal pipeline
Are canary/blue-green deployments used for critical services?
Is a post-mortem culture enforced for Sev-1 incidents?
Are security logs forwarded to a SIEM with 24×7 SOC?
Log retention period (days) for transactional data
Is real-time anomaly detection enabled for API abuse?
Will the provider share raw logs with your team under NDA?
Do contractual terms grant you audit rights (right to audit)?
Is the provider prohibited from sub-processing without consent?
Are there financial penalties for SLA breaches (security-related)?
Can the provider produce an SBOM for all delivered software?
Are third-party libraries scanned for vulnerabilities weekly?
Is the provider compliant with EO 14028 or equivalent supply-chain standard?
Please rate the likelihood and impact of the following risks (1 = Very Low, 5 = Critical)
Very Low | Low | Medium | High | Critical | |
|---|---|---|---|---|---|
Data breach during transit | |||||
Ransomware affecting operations | |||||
Insider threat (malicious or accidental) | |||||
Regulatory non-compliance fine | |||||
Extended outage (> SLA) during peak season |
Summarise the top three residual risks and mitigations:
Do you attest that all answers are accurate to the best of your knowledge?
Authorised signatory