Introduction
The guidance will provide organisations with an improved awareness of supply chain security, as well as helping to raise the baseline level of competence in this regard, through the continued adoption of good practice. Whilst beneficial, this guidance has not been written for organisations with national security (high assurance), requirements.
Most organisations rely upon suppliers to deliver products, systems, and services. You probably have a number of suppliers yourself, it’s how we do business.
But, supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.
Despite these risks, many companies lose sight of their supply chains. In fact, according to the 2016 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers.
A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear.
The principles
This guidance proposes a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.
We have divided these principles, into four sections, each representing a stage in the process.
These are:
I. Understand the risks
Before you can do anything to secure your supply chain you need understand the risks (and benefits) you are taking on by engaging suppliers.
II. Establish control
How to gain control of your supply chain. This section includes four case studies:
- Protecting information that you share with suppliers.
- Specifying security requirements to a supplier who is delivering something to you.
- Connecting a supplier’s systems to yours.
- National security case – where a state actor may target you.
III. Check your arrangements
Businesses will need to gain confidence in their approach to establishing control over their supply chain.
IV. Continuous improvement
As your supply chain evolves, you’ll need to continue improving and maintaining security.
Additional content
These example supply chain attacks give further context to the principles.
A note on implementation
Implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause. It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts, because of the trust you have sought in the security of your supply chain.
Further reading
The following sources provide information on managing supply chain security threats and risks:
DCPP (MoD) – DCPP is a joint Ministry of Defence (MOD) / industry initiative to improve the protection of the defence supply chain from the cyber threat.
Government supplier framework – This framework helps the government to manage supplier risk.
IS0 28000 – Specification for security management systems for the supply chain.
< Supply Chain Collection Section I >
Source: NCSC
