Following just 12 principles is enough to secure supply chains to meet the assurance demands of today’s customers.
The principles were published as guidance by NCSC to help establish effective control and oversight of supply chains.
You must understand the risks before establishing control then checking arrangements and putting in place what is required for continuous improvements.
There must be an understanding of what needs to be protected and why, before work can begin in earnest.
Knowing who your suppliers are and understanding what their security looks like, perhaps by using tools to assess the maturity of your suppliers’ people security arrangements, is also crucial to the process.
It is fundamental for companies to understand the security risk posed by their supply chain, such as a supplier failing to adequately secure their systems or if there were a malicious insider.
You may decide that suppliers providing basic commodities like stationary, require very different approaches to those that provide critical services or products.
Communicating your view of security needs to suppliers along with minimum security requirements that are proportionate to risk, will ensure the process is realistic and not overbearing, particularly to smaller businesses.
If justified, build in assurance requirements such as Cyber Essentials or Cyber Essentials Plus.
You might choose to provide support for security incidents where they have the potential to affect your business or the wider supply chain.
Provide advice and support and allow time for suppliers to achieve security improvements, all helps to build trust with suppliers.
And it must not be forgotten that you should enforce and meet any requirements upon you as a supplier.
This Blog is based upon an original article published on NCSC’s website. The unabridged article can be found here www.ncsc.gov.uk