Most businesses have multi-tiered supply chains. These may be upstream (i.e. between the business and its suppliers or suppliers’ suppliers) and/or downstream (i.e. between the business and its customers). Vulnerabilities in these supply chains can introduce vulnerabilities to the business and expose it to cyber security risk.
Supply chain security risk is a business risk that can only be mitigated through a holistic risk mitigation plan, which is owned and managed by the business.
Supply chain security risk mitigation plan
Follow these steps to implement a supply chain security risk mitigation plan:
- Map in detail the upstream and downstream supply chains down to individual contracts and sub-contracts.
- Extend your risk assessment process to the upstream and downstream supply chains. Score individual contracts and sub-contracts for risk.
- Conduct due diligence/accreditation/assurance of supplier (and potential supplier) organisations: proportionate and appropriate measures according to the risk and ranging from statements of assurance (with suggested drafts), through formal accreditation (e.g. to ISO 27001), to actual inspection of the supplier by the prime. Use of appropriate tools to manage supplier relationships.
- Apply contractual clauses to address supply chain security issues.
- Audit arrangements and compliance monitoring through the contract lifetime.
- Determine contract exit arrangements. Make appropriate arrangements to ensure that there is no residual risk once the contract has been completed.