Governance
-
Principles of supply chain security
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of their security measures
- Understand the security risks posed by your supply chain
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting process and require your suppliers to do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
- Build assurance activities into your supply chain management
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
GOV028
Know who your suppliers are and build an understanding of their security measures
You should know who your suppliers are, and who supplies or supports them. Think about how far down your supply chain you need to go to understand who your suppliers are, and to have confidence in them.
You may have to rely on your immediate suppliers for information about sub-contractors, and it may take time to discover the full extent of your supply chain.
Try to establish the answers to the following questions.
- How effective are your suppliers’ current security arrangements? How long have their arrangements been in place?
- Which security measures have you asked your immediate suppliers to provide? Which measures have they, in turn, asked their sub-contractors to provide?
- Have your suppliers and their sub-contractors provided the security requirements you asked for?
- What access (physical and technological) will your suppliers have to your systems, premises, and information? How will you control that access?
- When suppliers are working on your premises, what other information (beyond the information you’ve granted them explicit access to) might they be able to access or view?
- How will your immediate suppliers control their subcontractors’ access to, and use of, your information and assets? (Remember to include your systems and premises).
Focus on the parts of your suppliers’ business or systems that handle your contract information or deliver the contracted product or service.
Page last modified: 4/05/2022