Build assurance activities into your supply chain management

When suppliers are key to the security of your supply chain, make it a condition of their contracts to:

• report to your senior management team on security performance
• follow any risk management policies and processes you specify.

Build the ‘right to audit’ into all contracts and exercise it. Require your suppliers to do the same for contracts they sub-let. Audits may include accessing the service provider’s premises, records, and equipment. (However, this may not always be possible or desirable, particularly when a service is cloud-based.)

When you assess suppliers that offer services to more than one government organisation, consider sharing the assessment to avoid duplication.

Where justified, build assurance requirements into your security requirements. For example, assurance reporting, penetration tests, external audits, and formal security certifications.

Establish key performance indicators to measure the performance of your supply chain security management.

Review and act on any findings and lessons learnt.

Encourage suppliers to promote good security behaviours.

Page last modified: 4/05/2022