Governance
-
Principles of supply chain security
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of their security measures
- Understand the security risks posed by your supply chain
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting process and require your suppliers to do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
- Build assurance activities into your supply chain management
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
GOV036
Build assurance activities into your supply chain management
When suppliers are key to the security of your supply chain, make it a condition of their contracts to:
- report to your senior management team on security performance
- follow any risk management policies and processes you specify.
Build the ‘right to audit’ into all contracts and exercise it. Require your suppliers to do the same for contracts they sub-let. Audits may include accessing the service provider’s premises, records, and equipment. (However, this may not always be possible or desirable, particularly when a service is cloud-based.)
When you assess suppliers that offer services to more than one government organisation, consider sharing the assessment to avoid duplication.
Where justified, build assurance requirements into your security requirements. For example, assurance reporting, penetration tests, external audits, and formal security certifications.
Establish key performance indicators to measure the performance of your supply chain security management.
Review and act on any findings and lessons learnt.
Encourage suppliers to promote good security behaviours.
Page last modified: 4/05/2022