I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that.
example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc.
Another aspect to this is that for systems that we "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using.
I would love to hear your thughts on this.