Assessing your supply chain security
How to Assess
The table below details on how to assess your own supply chain security. You can use this a guide to develop a robust system
| Good approach | Poor approach |
|---|---|
| Evaluating risks | |
| You know the dangers suppliers could bring to your company and the other businesses in your supply chain. You understand the risks connected to their products and services. | You don’t get the dangers that suppliers can cause to you and your supply chain. You don’t understand the issues that can come with their products and services. |
| You understand how important the information your suppliers have and the value of the work they are doing. | You don’t understand how important the information is that your suppliers have, and you don’t know how valuable the projects they’re working on are. |
| Knowing the depth of your supply chain | |
| You understand how far your supply chain goes, including who you work with as subcontractors. | You only know the people you buy from directly and don’t know anything about anyone they may use to help them. |
| Knowing your supply chain’s security | |
| You know the security plans of your suppliers and regularly check that they are managing the risks related to your agreement properly. | You don’t know for sure if your supply chain is secure, but you think it could be okay. |
| You have control over your supply chain and you can audit it. | You don’t have much control over your supply chain, you don’t keep track of who you are subcontracting to, and you don’t check up on them. |
| You wouldn’t first talk to the supplier about an audit request. | Often, your security team will start off their interaction with the supplier by doing an audit after an incident has occurred. |
| You may ask your suppliers to tell you about their security performance, so your top leaders can be sure everything is going well. | You don’t ask your suppliers to tell you about their security performance. Your bosses don’t know if security is doing well or not. |
| Setting minimum security requirements | |
| You assess risks and figure out what security measures are needed to reduce them. You put these security expectations in your agreements with suppliers. These security expectations become the minimum requirements. | You do not set up minimum security requirements, leaving it to your suppliers to decide what to do. This may be because they do not have the knowledge to know what is needed or how to do it properly. Alternatively, you may set minimum security requirements, but these may not be suitable for your suppliers to meet. |
| Matching protection to risks | |
| You make sure the protections needed are the right amount for the risks assessed and for the specific contract. You make sure these protections are reasonable, appropriate, and possible. | You use the same rules for all suppliers, even if their contracts and risks are different. You don’t check if these rules are fair and possible, which might make suppliers not want to work with you. |
| Managing security throughout the supply chain | |
| You want your security needs to be fulfilled by everyone in your supply chain. You make sure your suppliers are following the rules. | You leave it to your suppliers to manage security, but you don’t require it or check that it is being done. |
| Meeting your responsibilities as a supplier | |
| You fulfill your obligations as a supplier and prompt your customers for guidance when necessary. You pass customer requirements along and inform senior management of security performance. | You neglect your responsibilities as a supplier or ignore a lack of customer guidance, nor fail to pass requirements down or report to senior management on security performance. |
| Providing support in an incident | |
| You fulfill your obligations as a supplier and seek guidance from customers where it is absent. You ensure customers’ requirements are met and update senior management on security performance. | You neglect your duties as a supplier and disregard any customer guidance, while failing to pass down customer requirements and report security performance to senior management. |
| Updating suppliers about changing cyber risks | |
| You let your suppliers know about the possible risks of cyber-attacks so they can stay informed. You also share what works best to make sure everyone is up to date. | You expect suppliers to be aware of potential cyber-attack risks and provide either no help or guidance, regardless of their security knowledge and skills. |
| Building in assurance | |
| You add assurance steps to your minimum security needs to get an outside opinion on how secure your suppliers are. | You don’t have safety precautions in your safety needs. You think that your providers will do the right thing, even if they don’t know what they should do or don’t have the right experience. |
| Monitoring the effectiveness of security | |
| You assess the effectiveness of current security measures. When needed, you modify or remove controls based on incidents, assurance activities, and supplier feedback. | You fail to monitor the effectiveness of security measures and are unwilling to make changes despite overwhelming evidence. |