Prices
Free Trial

Supply Chain Security

Your organisation must establish supply management procedures to ensure supply security and cybersecurity when using direct suppliers or service providers whose services can affect your organisation's delivery of critical services

Table of Contents

You must ensure the security of your organisation’s supply chain, so that the organisation and its products or services are not negatively affected by vulnerabilities or incidents at suppliers or in their products and services.

Requirements

Your organisation must establish supply management procedures to ensure supply security and cybersecurity when using direct suppliers or service providers whose services can affect your organisation’s delivery of critical services. A risk-based approach should be established to determine how to manage your suppliers and the importance of each supplier’s delivery. Your procedures must help identify and assess supplier risks and set agreements that ensure suppliers meet your organisation’s requirements.

Selecting Suppliers

You should make sure that the suppliers you choose are able to deliver the required services. You should therefore define clear criteria for selecting suppliers and service providers, which could include:

  • suppliers’ and service providers’ cybersecurity practices, including secure development procedures,
  • the supplier’s or service provider’s ability to meet your organisation’s cybersecurity requirements,
  • the supplier’s ability to maintain an appropriate level of supply security,
  • Your organisation’s ability to choose an alternative supplier and limit supply dependencies,
  • the supplier’s financial stability and geopolitical risks.

Contracts

You should also ensure that suppliers maintain appropriate measures that meet the security requirements set out in contracts, which can be supported through service level agreements and audit mechanisms.

Based on the risk assessment, contracts with direct suppliers or service providers may include the following specifications:

  • The supplier and the services delivered must comply with all relevant security and legal requirements.
  • The skills and training expected of supplier staff must be defined.
  • Background checks must be carried out for staff working with critical assets.
  • Suppliers must notify the organisation immediately of relevant incidents and assist with mandatory reporting in case of major incidents.
  • Direct suppliers and service providers must cooperate with supervisory authorities if the organisation is subject to oversight.
  • The organisation must have audit rights, or suppliers must provide audit reports.
  • Delivery times for services, including repairs, must be agreed.
  • Vulnerabilities that may pose a risk to the organisation’s network and information systems must be addressed.
  • If subcontractors are permitted, their responsibilities and required measures must be defined.
  • At contract termination, suppliers must return or securely dispose of data.

You should consider applying these security requirements to existing suppliers, as well as during the selection process for new suppliers and when planning, preparing, managing, and closing procurement of IT services, systems, or products.

Documentation

Your organisation should regularly review its supplier management procedures and keep track of any changes in the cybersecurity practices of direct suppliers or service providers. Reviews should also be carried out after incidents that have affected, or could affect, the security of your organisation’s networks and information systems. The results of these reviews should always be documented.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.