This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Digital developments in focus
| 4 minutes read

Are you on top of your cyber supply chain risk? If not, new NCSC guidance may help

Is your organisation one of the mere 7% of businesses who review the cyber risks posed by your wider supply chain, or one of the 93% that don’t? If it’s the latter, the National Cyber Security Centre’s (NCSCs) new supply chain guidance may help. Designed to help medium and larger organisation assess the cyber risks in their supply chain and obtain assurances that mitigations are in place, it has been published in response to a significant rise in supply chain related cyber attacks in recent years.

Why do organisations find it hard to monitor supply chain risk?

The latest government research on cyber breaches suggests that there are a number of reasons why the figures around supply chain monitoring are so low despite supply chain risk being highlighted as a key concern for a number of years now. Some respondents assumed key tech suppliers would offer better security than the organisation itself, or required suppliers to have robust cyber security but never tested this. Others admitted that there may be complacency at board-level when considering supplier risks or that they didn’t know how to monitor the risk when they tried - for example, they didn’t have the necessary time, money, skills etc. or they didn’t know which suppliers to check.

How can you manage supply chain risk in practice?

The guidance sets out a five stage process to help assess and manage supply chain risk which puts into practice the NCSCs 12 supply chain security principles published back in 2018.

Stage 1: Before you start

  • Get a better understanding of the threats to your supply chain based on the nature of your relationship with those suppliers and the access they have to your systems. This involves understanding why someone might want to attack your supply chain and what the impact would be if they did. It also involves ensuring you have the right team and governance processes in place to develop a new approach for assessing supply chain security and getting senior buy-in to make any necessary changes.
  • Understand your wider risk appetite and the existing processes you have to manage risk as these will be relevant to the way you asses your cyber supply chain risk.

Stage 2: Develop an approach to assess supply chain cyber security

  • You need to prioritise your organisation’s crown jewels – this involves understanding the critical aspects and key assets you need to protect in your organisation and the assurances you need from suppliers to protect them. You also need to create a repeatable, consistent approach for assessing the cyber security of your suppliers. This will include, for example, creating tiered supplier security profiles and determining the profile of each supplier as well as creating standard contractual clauses to include in your supply arrangements.

Stage 3: Apply your new approach to all new supplier relationships

  • Ensure cyber security is considered throughout the contract lifecycle. This includes the selection/procurement and contracting process, monitoring and measuring performance against agreed metrics and considering cyber risk at termination (e.g. removing access to systems and regaining control of your assets). The NCSC also suggests that progress in this space should be reported to the board.

Stage 4: Integrate the new approach into your existing contracts

  • You need to identify and prioritise your existing suppliers. Keeping a register of all your suppliers will help – you can then measure ‘high priority’ suppliers against defined security controls and put a plan in place to improve their security where needed. This may include reviewing their contractual clauses.

Stage 5: Continuous improvement is key

  • The cyber risk landscape and your supply chains are continually evolving. You will therefore need to monitor any changes to the threat landscape, collaborate with your suppliers and refine your approach as new risks emerge and circumstances change.

The NCSC has provided both a short PDF summary of the steps and the longer form main guidance which contains much more detail around types of supply relationships, threats and steps you can take. For example, for Stage 2, the PDF summary discusses creating a set of security profiles and including contractual clauses in your supply arrangements while the main guidance sets out an example of a 3-tiered security profile and lists the ‘common arrangements’ that are put into contracts (see box below for the latter).


The guidance was published in response to last year’s government call for views on supply chain security which highlighted the need for further guidance in this space ‘that can be converted into tangible and actionable practices’. It does therefore seek to provide practical steps that those involved in procurement and risk management can take to set up an assessment framework in their organisation. In doing so it may help organisations that are struggling to manage their supply chain risk as they don’t know where to start or which suppliers to focus on. However, it is unlikely to overcome the challenges many face around resource constraints (personnel and funds) and it remains to be seen whether it will help galvanise senior buy-in if this is currently lacking.

Stage 2: Develop an approach to assess supply chain cyber security 
Common arrangements that are put into contracts include:

  • Ensuring that any subcontractors employed by the supplier conduct the same levels of cyber security protection as the supplier itself. This may include restrictions on organisations or regions that may be subcontracted to, or where data is held and notification in the case a subcontractor changes.
  • Incident management response and notification timeframes for responding to a breach, along with provision of support to the organisation to find the root cause.
  • Staff clearances expected and due diligence to be conducted, possibly organisational approval as to which supplier personnel have access to the systems.
  • Ability to audit your supplier and expected frequency of audits.
  • Whether insurance for cyber security incidents is required.
  • Disclosure of previous component vulnerabilities, cyber incidents or data breaches.
  • General cyber security controls to be adhered to (levels of encryption required, end user devices allowed, data destruction, identity and audit controls).
  • Agreement for length of time the equipment will be supported and maintained to avoid equipment falling out of support.
  • Data management including what information can be passed onto a third party supplier. Only necessary data may be transferred out of the organisational network and must be protected via authentication and encryption. Will data be segregated if held on a supplier platform?
  • Ability to invoke a break clause in the contract if the supplier security does not meet expected standards.
  • Any other stipulations that clearly define the organisation’s and supplier’s responsibilities in cyber assurance activities.


cyber, tech procurement and cloud