This guidance is aimed at medium to large organisations who need to gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers.
Please read in conjunction with the NCSC’s guidance on How to assess and gain confidence in your supply chain cyber security.
Supply chain mapping (SCM) is the process of recording, storing and using information gathered from suppliers who are involved in a company’s supply chain. The goal is to have an up-to-date understanding of your network of suppliers, so that cyber risks can be managed more effectively, and due diligence carried out.
Many organisations rely upon suppliers to deliver products, systems, and services. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. This makes it difficult to know if you have enough protection across the entire supply chain.
Understanding who your suppliers are, what they provide and how they provide will help you manage the cyber security risks that can arise. Mapping your supply chain allows you to make more informed business decisions based upon risk, specifically:
- better insight into the cyber security considerations that could be more easily enforced via contracts
- more prepared to respond to supply chain related cyber incidents
- the ability to establish repeatable methods so you have confidence in suppliers’ security practices, and can build long term partnerships
- easier compliance with legal, regulatory and or contractual responsibilities
- regularly assessing the supply chain will reduce the likelihood of a cyber attack or breach
It is not possible to completely eradicate supply chain attacks. Should a risk materialise, being able to rapidly respond will limit the scope of damage to your organisation.
Gathering information about your suppliers in a consistent manner and storing it in a centralised repository that’s access controlled will ensure it’s easier to analyse and maintain. This ultimately will allow you to better manage the risks, as you’ll have a comprehensive view of the supply chain that is always up to date.
Typical information that may be of use includes:
- a full inventory of suppliers and their subcontractors, showing how they are connected to each other
- what product or service is being provided, by whom, and the importance of that asset to your organisation
- the information flows between your organisation and a supplier (including an understanding of the value of that information)
- assurance contacts within the supplying organisation
- information relating to the completeness of the last assessment, details of when the next assurance assessment is due, and any outstanding activities
- proof of any certifications required, such as Cyber Essentials, ISO certification, product certification
Acquiring this information, especially for large organisations with complex supply chains, can be a massive undertaking. The NCSC guidance on How to assess your supply chain cyber security will assist with this task, and can also ensure that supply chain dependencies from new suppliers is captured.
