Blog

Securing supply chains – a practical guide.

This guide assists organisations in strengthening their cybersecurity within the supply chain through structured risk management, requirement setting, and monitoring.
The approach is divided into three key areas:
  • Understanding risks – Mapping and analysing security risks in the supply chain.
  • Gaining control – Establishing and maintaining security requirements for suppliers.
  • Building resilience – Developing ongoing security improvements and incident management.

1. Understanding risks

Mapping helps your organisation identify and comprehend security risks within the supply chain. Risk mapping should include an assessment of business-critical suppliers, information flows, and any legal risks.

1.1 What needs protection and why

This stage involves mapping and defining your information and systems that require protection and the reasons why. Which suppliers and systems pose the greatest threat to your ongoing operations? A risk matrix can be used to visualise and prioritise risks based on likelihood and impact.

You should map:

  • The legal risks, i.e. any weaknesses in the contracts you have or will have with your suppliers.

  • What information or assets the supplier has access to and manages as part of the agreement, and their value to your business.

  • The level of protection you require from your suppliers, both regarding their handling of your information and assets, and the products or services they provide.

1.2 Map your suppliers

Identify the risks and threats posed by your suppliers. Begin by assessing their resilience and continuity capabilities. Evaluate the information they can access within your organisation and whether they provide services or products critical to your business. Consider the consequences if this information were exposed, lost, or fell into the wrong hands.

You should map and specify:

  • Who your suppliers are. Consider how many tiers down the supply chain you need to go to understand and trust the entire delivery. You may need to rely on your direct suppliers to provide information about subcontractors, which can take time to fully establish the extent of your supply chain.

  • The maturity and effectiveness of your suppliers regarding their security capabilities and cyber hygiene.

  • The security requirements you impose. Are these realistic based on what the supplier delivers, and can your suppliers meet them?

  • Check and ensure that the requirements you have set are met.

  • Understand the physical and logical access your suppliers have to your systems, premises, and information, and how you can control it.

  • Understand how your immediate suppliers control access to and use of your information and/or assets – including systems and premises.

1.3 Estimate the security risk

Assess the risks and their implications for your information or assets, as well as for the products or services to be delivered. This applies to the supply chain as a whole. It is important to take a business-driven risk perspective. For the public sector, this can translate to protecting the brand. A risk matrix can help visualise and prioritise risks based on likelihood and impact.

Common threats in the supply chain

  • Cyberattacks on suppliers (e.g. ransomware, supply chain attacks)

  • Insider threats and social engineering (unauthorised access via employees)

  • Insufficient data protection and incident management

  • Inadequate monitoring of subcontractors

Establish appropriate limits

Understanding the risks associated with your supply chain is key to ensuring that security measures and requirements are proportionate, effective, and acceptable. Use this understanding to determine the protection levels you expect your suppliers throughout the supply chain to provide.

Action plan

Document your work and establish a "Supply chain policy". It may be helpful to group different contracts or suppliers into risk profiles based on considerations that affect your business in terms of potential losses, damages, or interruptions, and the capabilities of likely threats. Take into account the type of service/product provided and the sensitivity of the information they handle. Each profile will require different management to reflect your view of the associated risks.

A suggested approach is to conduct a risk and impact analysis and categorise your suppliers as:

  • Critical

  • Essential

  • Important

  • Other

Regulatory compliance

NIS2, DORA and AI Act set requirements for supplier security. Organisations should ensure that suppliers comply with these regulations and implement fundamental cybersecurity measures.

2. Gaining control

This section helps you gain and maintain control over your supply chain. With better control, you can analyse strategic risks, such as:

  • Identifying suppliers who fail to meet your expectations for security and performance.

  • Identifying critical assets and any over-reliance on individual suppliers.

2.1 Set minimum requirements

To ensure consistent and robust cybersecurity throughout the supply chain, suppliers should meet clear, standardised security requirements during the contract period. These should be based on established international standards (e.g. ISO 27001, NIST CSF, CIS Controls) and tailored to your organisation's risk profile.

Using standard controls and analytical tools saves time for you and your suppliers, who will face increased demands from multiple customers due to tightening regulations (NIS2, DORA, AI Act, etc.).

These requirements should reflect your assessment of security risks but also consider your suppliers' maturity and their ability to meet the demands you set. Ensure minimum security requirements are justified, proportionate, and achievable for suppliers.

For critical suppliers, deeper checks and security audits may be warranted. Set different maturity requirements based on the supplier's risk level – avoid requiring all suppliers to meet the same maturity level if it's not proportionate or justified. Explain these requirements clearly so suppliers understand what is expected.

2.2 Specify requirements in contracts

Include your minimum security requirements in supplier contracts and require suppliers to pass these on to any subcontractors. You can require your suppliers to ensure their subcontractors maintain basic cyber hygiene.

Evidence

Require potential suppliers to provide evidence of their systematic cybersecurity efforts and ability to meet your minimum security requirements throughout the contract.

Provide support

Develop appropriate guidance, tools, and processes to facilitate security work for you and your suppliers at all levels.

Clarify requirements

Clearly define requirements for incident handling and reporting in contracts. Specify suppliers' responsibilities for notifying you of incidents and whom they should report to. Inform suppliers about the support they can expect from you in case of an incident, including remediation actions and compensation. GDPR mandates tight deadlines for reporting incidents to supervisory authorities, which you and your supply chain must prepare for. NIS2 imposes even stricter timelines for reporting.

You should:

  • Ensure security considerations in contracts are proportionate, aligned with contract stages, and appropriate to the supplier's importance and capabilities.

  • Require security considerations to be specified in contracts and train all parties on their use.

  • Verify that your guidance, tools, and processes are used throughout the supply chain.

  • Require contracts to be renewed at suitable intervals, including risk reassessment.

  • Ensure suppliers understand and support your security stance and request actions or information as needed.

  • Ensure contracts clearly state requirements for return and deletion of your information/assets when contracts end or are transferred.

2.3 Monitoring and auditing

An essential part of securing supply chains is ensuring suppliers comply with security requirements throughout the contract. Many security issues arise after contracts are signed, making ongoing monitoring and auditing crucial. Automated controls and KPIs enable quicker detection of security gaps.

Follow up to ensure suppliers actively and systematically manage their cybersecurity throughout the contract. If a supplier does not meet your minimum requirements, require a remedial action plan detailing when and how they will address this. Automated risk assessments and continuous supplier monitoring help maintain security over time. Applying Zero Trust principles and digital platforms can enhance transparency and security across the supply chain.

Consider regular security audits of critical suppliers. Request evidence that they meet your minimum requirements. If a supplier holds a certificate such as ISO27001, review its scope to ensure it covers their entire operations and request their Statement of Applicability to assess their security coverage. This is especially important for those subject to NIS2/DORA requirements covering the whole organisation.

3. Building resilience

As your supply chain evolves, you must continue to improve and maintain security on an ongoing basis.

3.1 Establish supply chain management processes

  • Require suppliers critical to your supply chain security, via contract, to provide upward reporting on security performance and comply with all risk management policies and processes.

  • Include the right to audit in all contracts. It is your right to demand proof that supplier claims are accurate. Use this right systematically throughout the contract.

  • Incorporate security requirements such as security declarations, penetration testing, external reviews, or formal security certifications where justified.

  • Develop key performance indicators to measure the effectiveness of your security management practices in the supply chain.

  • Review results and lessons learned and take action accordingly.

  • Encourage suppliers to promote good cyber hygiene.

3.2 Encourage continuous improvement

  • Encourage your suppliers to continuously enhance their cybersecurity capabilities and cyber hygiene, emphasising how this can help them compete for and secure future contracts with you and others.

  • Provide advice and support to suppliers as they pursue improvements.

  • Avoid creating unnecessary barriers to improvement: recognise existing security practices or certifications suppliers may have that demonstrate how they meet your minimum security requirements.

  • Allow suppliers time to achieve security improvements but require schedules and specifications outlining how they intend to do so.

  • Listen to and act on issues raised through monitoring, incidents, or supplier reports indicating current methods may not be as effective as planned.

3.3 Build trust with suppliers

While it is reasonable to expect suppliers to manage security risks as agreed, be prepared to offer support if security incidents threaten your operations or the wider supply chain.

  • Strive to build strategic partnerships with key suppliers, share challenges with them, encourage and value their input. Gain their acceptance of your supply chain cybersecurity strategy, ensuring it reflects their needs as well as yours.

  • Allow them to manage subcontractors on your behalf but require appropriate reporting to clarify security in these relationships.

  • Maintain ongoing and effective communication with your suppliers.

  • Approach supply chain management as a shared responsibility between you and your suppliers.

Robert Willborg

What digital sovereignty really means

Sovereignty isn't about geography. It's about control.

Robert Willborg

From insecurity economy to trust

A story about an industry that lost its way.

Robert Willborg

Airworthiness for the digital society

NIS2 wants us to fly safely, not just fill in paperwork.

Robert Willborg

EU Data Act

When the EU builds "emergency exits" in your data corridors (and nobody's read the signs yet).
Go to blog page