Russia-Ukraine War: 8 Questions to Ask Your Vendors

1) Is the organization located in the region of Ukraine and surrounding areas?

Help text: This assessment relates to the ongoing crisis in the Ukraine region, and how organizations have risk-assessed and taken action to protect themselves and their interests, including employees and other stakeholders, services and systems. “Surrounding areas” refers to countries bordering Ukraine.

Please select ONE of the following:

a) The organization is located in the region or
surrounding areas of Ukraine.

b) The organization is NOT located in the region or
surrounding areas of Ukraine.

2) Does the organization use vendors that are located in the region of Ukraine and surrounding areas?

Please select ONE of the following:

a) Yes, the organization does use vendors that are
located in the region or surrounding areas of
Ukraine.

b) No, the organization does use vendors, who are
not located in the region or surrounding areas of
Ukraine.

3) Following emerging events, has the organization conducted a risk assessment to determine the level of impact caused to its employees, stakeholders, services and systems?

Please select ONE of the following:

a) Yes, a risk assessment has been conducted to
determine the level of impact caused to our
organization.

b) No, a risk assessment has not been conducted
to determine the level of impact caused to our
organization.

4) If “Yes” to question #3: What is the level of impact caused to the organization and its employees, stakeholders, systems and services?

Help text: Consideration should be given to where the impact has occurred, alongside the level of impact.

Please select ONE of the following:

a) Significant impact to the organization and its employees, stakeholders, systems and services.

(Significant impact is defined as: The events have caused safety risks to our employees. Systems or services have stopped working due to security issues. Loss of confidentiality or integrity of data.)

b) High level of impact to the organization and its employees, stakeholders, systems and services.

(High impact is defined as: There is a high degree of safety risks to employees. Some systems or services have periodically stopped. There is some loss of confidentiality or integrity of data.)

c) Low level of impact to the organization and its employees, stakeholders, systems and services.

(Low impact is defined as: No impact to employees or stakeholders, minimal or no disruption to service availability. No loss of confidentiality or integrity of data.)

d) No impact to the organization and its employees, stakeholders, systems and services.

5) Does the organization have a documented continuity or recovery plan in place?

Please select ONE of the following:

a) Yes, a documented continuity or recovery plan is in place.

b) No, a documented continuity or recovery plan is not in place.

6) If “Yes” to question #5: Has the organization been required to activate its continuity or recovery plans?

Please select ONE of the following:

a) The organization has activated its continuity and/or recovery plan.

b) The organization has NOT been required to activate its continuity and/or recovery plan.

7) If “Yes” to question #5: Has the organization updated its continuity or recovery plans to identify and address geopolitical risks and events, and has a Business Impact Assessment been
conducted to identify recovery efforts?

Please select ALL that apply:

a) Business impact assessments have been
conducted, and captured geopolitical risks that
could or have impacted the organization.

b) Based on geopolitical risks and events, the
organization has identified its prioritized order of
recovery.

c) Recovery Time Objectives (RTO) and Recovery
Point Objectives (RPO) are established based
on the business impact assessment.

8) Who is designated as the point of contact who can answer additional queries?

Please state the key contact for managing information on event or continuity management.

Name:

Title:

Email:

Phone: