Most businesses have multi-tiered supply chains which are likely to be both upstream (supply) (between the organisation and its suppliers or suppliers’ suppliers) and downstream (demand) (between the organisation and its market).
Vulnerabilities in these supply chains can introduce vulnerabilities to the organisation and its assets. Those vulnerabilities can expose the organisation and its assets to risk from national security threats, principally terrorism, hostile cyber-attacks by foreign states and large scale cyber-crime.
So says the official Centre for the Protection of National Infrastructure (CPNI), which recommends that organisations should view supply chain security risk as being an extension of existing arrangements to mitigate security risk. To achieve this extension requires a supply chain security risk mitigation implementation plan which includes:
• mapping of all tiers of the upstream and downstream supply chains to the level of individual contracts.
• Risk scoring each contract to link in to the organisation’s existing security risk assessment.
• Due diligence/accreditation/assurance of suppliers (and potential suppliers) and the adoption, through contracts, of proportionate and appropriate measures to mitigate risk.
• Audit arrangements and compliance monitoring.
• Contract exit arrangements.
For the 11-page document detailing risk mitigation for the supply chain visit: http://www.cpni.gov.uk/.
