‘Supply chain’ is a renewed focus for threat intelligence, government interests, and enterprise this year. The statistics continue to show that there is a clear focus by criminals to compromise organisations by focusing on supply chains. Every organisation both has and is part of a supply chain, so it can feel like a lot of noise to suggest that we really ought to be ‘focusing on the supply chain’ – surely this is just focusing on general business health? Well, yes and no! As always there’s some nuance to explore and that’s what we’re making space for today.
Today we’re tackling the supply chain discussion, including what you should be doing to assess your own posture, the posture of your supply chain, and – as always, we’re going to cut to the chase on what actions we can easily take to get the best value out of any efforts spent in assessing your supply chain. We’ll also go over the role of certifications in improving trust, and how to have meaningful conversations with your suppliers.
Why the Supply Chain Is Closer Than You Think
While it’s nearly considered common sense – it’s worth retreading that the supply chain is not just limited to physical goods. Supply chain includes software providers, cloud services, hosting, your MSP, contractors, subcontractors, consultants, and even the third-party code libraries you’re using for any custom software. This is well trodden ground – most usefully by the NCSC, who have some great resources on supply chain stuff – here it is.
Each organisation is both a supplier and a consumer. Clients view their partners as part of their supply chains, and security resilience is therefore not just inward-facing but an external value proposition. In short, everyone is part of the supply chain.
It’s like when you’re sitting in traffic, complaining to yourself that you’re “Stuck in traffic”; my friend, I hate to tell you – but we ARE the traffic!
How to Map Your Supply Chain and Identify Leverage
Let’s talk about a structured approach to follow to start critically thinking about your supply chain. Take a look at the steps below:
- List every external dependency
Begin with obvious providers such as cloud services, hosting, telecoms, and IT support. Extend the list to include contractors, resellers, outsourced development, shared platforms, and open-source libraries. If you rely on ‘friends’ in industry, list these too! - Classify each dependency by criticality
Consider which ones, if compromised, could cause serious harm. Rank them high, medium, or low risk. Some suppliers are connected to you in name only – but others might have internal access to critical systems. - Identify your level of control
For each supplier, ask whether you can require minimum security standards, request evidence, substitute them, or monitor performance. Speaking frankly – sometimes you don’t have any sway at all of your supply chain. In these cases, you either have to accept the risk, treat the risk as best you can, or migrate to another supplier. - Track cascading tiers
Some suppliers rely on their own suppliers. Visibility into second and third tiers helps when dependencies are highly critical. Remember too that some service provision is ‘whitelabelled’, and might be provided to you by a company through undisclosed subcontracting. Feel empowered to ask if anything you’re paying for is whitelabelled! This doesn’t necessarily reflect on the quality of the service, but you should certainly know about it. - Maintain a supply chain register / external supplier evaluation log
Record supplier names, services, criticality, certifications, and review dates. If there have been conversations or actions taken based on what you’ve identified, record them here.
Shifting Towards a Supplier-Conscious Model
Security risks within supply chains often reveal themselves as “to do” list items: checking whether a vendor has updated policies, reviewing third party access rights, or chasing evidence of security. These small but persistent tasks are usually signals of deeper supply chain risks.
Adopting a supplier-conscious model means recognising that:
- Security gaps in suppliers are also risks for your own organisation.
- Transparency in supplier relationships is more valuable than secrecy.
- Collaborative improvement over time with imperfect allies is often more effective than imposing strict demands.
This approach encourages stronger resilience across the chain, as both sides acknowledge shared responsibility. Often you may find that you and your suppliers both stand to learn from each other and may benefit from sharing talent and resources.
The Role of Certifications in Supply Chain Security
A common challenge in supplier relationships is risk-based language. Organisations describe risks in different ways, making it hard to assess alignment. This is where recognised certifications become essential.
Standardised benchmarks
Certifications such as Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance Levels 1 and 2, and ISO 27001 provide a common yardstick:
- They offer standardised measures of effort and outcome.
- They reduce friction in discussions by creating a shared reference point.
- They demonstrate assurance to clients and partners without lengthy explanations – and can ideally replace supplier questionnaires (everyone’s favourite passtime).
Just as a heads up – ADAS Ltd offers services to support organisations in achieving Cyber Essentials, IASME Cyber Assurance, and ISO 27001. These standards help communicate a measurable commitment to cyber resilience, and we proudly hang our hat on them as excellent steps in the journey to a culture of resilience in any organisation.
Controls-based vs risk-based standards
Risk based standards allow you to assess the need for potential controls and make your own decision about whether they’re needed. ISO 27001 is one example of this. Controls-based standards have mandatory requirements to meet certain technical standards – such as Cyber Essentials Plus.
- Controls-based standards (such as IASME regulated standards) show that material security controls are implemented and validated.
- Risk-based standards (such as ISO 27001) demonstrate risk-informed decision making and a security culture embedded within strategy and governance.
Used together, these frameworks provide a powerful way to communicate security posture both upstream and downstream in a supply chain.
How to Start Effective Security Conversations with Suppliers
Approaching suppliers about security can be sensitive. The following practices help turn it into a constructive process:
- Frame security as a shared risk rather than a one-sided demand.
- Use concise questionnaires to ask about certifications, patching policies, MFA, incident response, and regular testing. If you can get these questions answered in a meeting, then opt for this. You’ll capture more nuance and cultural context, and make life easier for the other party.
- Request evidence rather than assurances, such as audit reports or certification numbers.
- Offer guidance or resources to smaller suppliers who may need help improving. Equally, don’t be afraid to ask for help yourself if you identify a strength in your supplier that you would benefit from implementing.
- Embed security clauses into contracts, such as minimum standards, incident reporting, and periodic reviews. Don’t take people by surprise with this, weave it into a working relationship and set clear timeframes for maturity if existing suppliers don’t quite hit the mark yet.
- Schedule reviews regularly, not just once at onboarding.
- Escalate concerns or consider alternatives if a supplier consistently fails to meet agreed security expectations. Negotiating these waters can be tricky – especially with high value members of your supply chain. If you find yourself tackling complex requirements like this, a third party like ADAS might be able to help you.
This approach helps raise the overall standard of security while protecting your organisation’s role within client supply chains.
Why Supply Chain Resilience Matters
Supply chain attacks are becoming more frequent and can have serious ripple effects. A cyber incident at one node often cascades through multiple organisations. For example, recent events affecting major UK manufacturers disrupted smaller suppliers across the network. (Reuters)
Without a clear map of dependencies, organisations may be blind to risks originating several layers upstream. The cost of this blind spot can be reputational, financial, and operational.
A Practical Roadmap
So there are clearly some artefacts to build, conversations to have, and certification pathways to reflect on that might prove useful to you in easing any supply chain anxiety, and providing a structured and structuring approach to the supply chain conversation. As a reminder to take away with you…
- Build and maintain a supply chain register.
- Prioritise high-impact suppliers for deeper scrutiny.
- Engage in regular security conversations with concise, evidence-based questions.
- Leverage certifications as benchmarks and communication tools.
- Review and update supplier records periodically.
- Embed security clauses into contracts to set expectations clearly.
- Replace, negotiate, or escalate if suppliers persistently fall short.
Conclusion
By mapping dependencies, adopting a supplier-conscious mindset, leveraging certifications, and maintaining open yet structured conversations with suppliers, businesses can transform vague risks into managed, measurable resilience.
The supply chain conversation isn’t ending anytime soon: organisations are complex systems that only further complicate when they come into partnership with other organisations. Relationships with supply chains require persistent and diligent attention to ensure that your security efforts aren’t undermined by a friendly third party.
ADAS Ltd supports organisations in strengthening their cyber assurance and supply chain resilience, with expertise in certifications including Cyber Essentials, IASME Cyber Assurance, and ISO 27001. If you’re considering tightening your requirements to be a part of your supply chain you will find value in working with us. We’re well positioned to provide volume based discounts on bulk certification when multiple organisations approach us collaboratively.
Have a great Thursday everyone…