Governance
-
Principles of supply chain security
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of their security measures
- Understand the security risks posed by your supply chain
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting process and require your suppliers to do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
- Build assurance activities into your supply chain management
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
GOV035
Provide support for security incidents
It’s reasonable to expect your suppliers to manage security risks according to their contracts. But be prepared to provide support and assistance if necessary. For example, when security incidents could potentially affect your business or the wider supply chain.
Make requirements clear in supplier contracts
In your contracts with suppliers, clearly set out requirements for managing and reporting security incidents or breaches.
Clarify their responsibilities for advising you about incidents. For example, make it clear how soon after an incident they need to report to you, who the report should go to, and so on. It’s particularly important to ensure your service providers report incidents or suspected incidents that affect:
- their ability to deliver their contracted services
- your organisation’s information (when they’re holding or transporting it).
You should also clearly state what support your suppliers can expect from you following an incident. For example, support with clean-up and handling losses.
Consider clarifying how your supplier will manage security incidents or breaches.
Consider including contract conditions that require providers to report to you about breaches of ICT security that involve other clients’ information.
Communicate lessons learnt
When you’ve learnt lessons from security incidents, communicate them to all your suppliers. Help to stop them becoming victims of ‘known and manageable’ attacks.
Page last modified: 4/05/2022