Skip to main content

Establishing Trust Among Organizations

Trust relationships between organizations are based on mission and business needs, with varying degrees of trust depending on factors like goals, risk tolerance, and sensitivity of activities. Trust is dynamic and changes over time as circumstances evolve.

Organizations increasingly rely on external service providers and partnerships to achieve their objectives, which necessitates trust relationships. While such relationships can improve productivity and cost efficiency, they also introduce risks that must be addressed through risk management strategies aligned with the organization's goals.

To address the risks of growing dependence on external service providers and partnerships, organizations must:

  • Clearly define the services or information to be shared in partnering arrangements,
  • Establish the level of control or influence over external partners,
  • Ensure services/information are protected according to security requirements,
  • Gather information from external partners to assess trustworthiness and risk tolerance.
  • Balance mission/business needs with the risks of dealing with competitors or hostile entities, and the potential for indirect attacks through other partners.
  • Assess whether the ongoing risk from using services/information or participating in partnerships is acceptable.
  • Recognize that decisions to establish trust relationships are expressions of acceptable risk.

Trust decisions reflect acceptable risk and vary based on factors like the nature of the partnership, the criticality of the information shared, and the history between the organizations. When trustworthiness is insufficient, organizations can mitigate, transfer, or accept risk—or reduce functionality to avoid risk. Senior leaders must explicitly accept the risk, in line with the organization's risk tolerance and management strategy, before establishing trust relationships.


(Source : NIST SP 800-39).