Governance

GOV028

Know who your suppliers are and build an understanding of their security measures

You should know who your suppliers are, and who supplies or supports them. Think about how far down your supply chain you need to go to understand who your suppliers are, and to have confidence in them.

You may have to rely on your immediate suppliers for information about sub-contractors, and it may take time to discover the full extent of your supply chain.

Try to establish the answers to the following questions.

  • How effective are your suppliers’ current security arrangements? How long have their arrangements been in place?
  • Which security measures have you asked your immediate suppliers to provide? Which measures have they, in turn, asked their sub-contractors to provide?
  • Have your suppliers and their sub-contractors provided the security requirements you asked for?
  • What access (physical and technological) will your suppliers have to your systems, premises, and information? How will you control that access?
  • When suppliers are working on your premises, what other information (beyond the information you’ve granted them explicit access to) might they be able to access or view?
  • How will your immediate suppliers control their subcontractors’ access to, and use of, your information and assets? (Remember to include your systems and premises).

 Focus on the parts of your suppliers’ business or systems that handle your contract information or deliver the contracted product or service.

Page last modified: 4/05/2022