Guidance

Assessing supply chain management practice

Created:  28 Jan 2018
Updated:  28 Jan 2018
It is expected that your will already be following good procurement and contracting practice. This guidance offers additional factors that you may consider.

 

Good

Bad

Develop partnerships with your suppliers. If your suppliers adopt your approach to supply chain security as their own, there's much greater potential for success than if you simply mandate compliance.

Dictate requirements without consultation.  

Get suppliers thinking about security from the outset by starting the discussion about security earlier than you would during traditional product assurance engagements. Just consider security to be a product assurance issue.  

Explain benefits of achieving the required security improvements to suppliers: i.e. that these will meet compliance requirements, or offer the potential for the supplier to win other contracts. 

Just tell your suppliers what to do, but offer no explanation of benefits: some suppliers may consequently be reluctant to bid for contracts.    

Consider how you will enable suppliers who may require legitimate but ad hoc/occasional and/or limited access to your business to do so without having to comply with your minimum security requirements for suppliers. Document the procedures for these engagements and train all parties on their use. Make no provisions for such circumstances,and either require them to meet your security requirements (even though their is little justification for this), or ignore it and let people make their own arrangements (hoping it will be okay).
Where required, develop common contract artefacts (i.e. risk assessment and self-assessment security questionnaire) to support the contracting process and to enable your suppliers to pass these down to sub-contractors. Share these with your suppliers and train all staff on their use. Offer little/no advice on the contracting process, allowing suppliers to do their own thing - and fail to understand the implications of this in terms of assurances about overall supply chain security.
Require these artefacts to be reviewed at appropriate intervals, such as at contract renewal, when there are significant changes, or in response to major incidents. Worry about the initial contract, but take little/no interest in subsequent contract renewals: fail to spot changes/problems that may have arisen.

Ensure that security considerations are an integral part of the contract competition process and that it influences the choice of supplier.

Require suppliers to provide appropriate evidence of their security status and ability to meet your minimum security requirements throughout the various stages of the contract competition: perhaps seeking basic assurances of your supplier's ability to meet legal and regulatory requirements, as a first gate, at initial contract advertisement, but requiring greater detail as the competition narrows to a choice of a few preferred bidders.

Ensure these do not impose unnecessary workloads on prospective suppliers - particularly in the early stages of contracting when there are many applicants for the contract. 

Only worry about security at the end of the contracting process - these considerations have little influence on your choice of supplier.

Ask for more information than you need, can handle, or will use: potentially creating unnecessary workloads on potential suppliers when they have little chance of winning the contract. Be surprised when suppliers do not compete for contracts on these grounds.

When using a self-assessment security questionnaire to aid the contracting process, ensure this matches the minimum security requirements you have set - and reduces workloads on suppliers to a necessary minimum. Only requires more detailed information when the supplier has progressed to the later contracting stages and is one of a very small number being considered for the contract.

Just dust off an existing ISO27001 based questionnaire that you think might do and get suppliers to complete that: even if this has no resemblance to the minimum security controls you have used (i.e. Cyber Essentials or 10 Steps to Cyber Security).

Fail to take account of the workloads this will create for suppliers, nor seek to match your requirements to the stage of the contract competition.

Allow suppliers time to achieve desired security improvements: develop risk criteria to manage this transition (i.e. require suppliers to provide a security improvement plan setting out how progress will be made) and stipulate when checks against progress have been made and should be performed. 

Set unrealistic deadlines, or have no clear or consistent risk criteria to inform decisions about suppliers who are unable to make these improvements within agreed timeframes. This may mean you are unable to work with such suppliers – potentially leading to a damaging fall in capability and reduced choice of suppliers.

Acknowledge any existing security certifications or prior/existing contract approvals that suppliers may have, and allow them to re-use such evidence to demonstrate how this might meet some of your minimum security requirements. But probe appropriately to confirm this is the case. 

Ignore any existing security certifications, or contract approvals,  requiring suppliers to achieve compliance with your minimum security requirements regardless. This could create unnecessary work and cost for suppliers, harming these relationships.

Expect all suppliers to achieve Cyber Essentials.

But understand that some suppliers - even those who have existing security certifications like ISO27001, may find it difficult to meet the letter of the scheme. However, where the letter of the scheme cannot be met for whatever reason, you should seek to understand what steps the supplier is taking to manage these risks through for example alternative business processes or compensating security controls. You should check to confirm these are suitable.

Expect all suppliers to achieve Cyber Essentials, but adopt a black and white approach taking no account of special circumstances. Do not acknowledge any difficulties and refuse to award contracts to suppliers who find Cyber Essentials certification difficult to achieve, further undermining your own capability and choice of suppliers.
Provide some mapping of the minimum security requirements you have chosen to common commercial security schemes to help suppliers re-use evidence, and other customers to assess equivalences. This will also help suppliers demonstrate how they align with international schemes. Provides no support, expect suppliers to do this mapping themselves: potentially increasing workloads and leading to inconsistencies - potentially undermining customers trust in the evidence they provide.

Monitor and continually improve the process, discontinuing or refining processes that are disproportionate, ineffective or unjustified.

Allow disproportionate, ineffective or unjustified processes to remain unchanged. Fail to listen to consistent, justified calls for refinement.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No