Securing the Supply Chain

20 July 2015

Amethyst's Mark Chown discusses the importance of good supplier security assurance


All organisations and businesses are dependent in some way on the services of others. 

In the Information Security domain, core activities such as utility supply, networking, infrastructure hosting, application development and data disposal are often entrusted to suppliers. The supply chain may also deliver core business activities that support front-of-house operations or deliver services directly to the customer.  In many cases these services are critical and disruption can have a major impact.

I have had experience of both assuring the services of suppliers, as well as providing similar assurances to customers in a service provider role by responding to lengthy questionnaires.  What is clear is that there is no consistent way in which this assurance activity is undertaken, with compliance teams typically struggling to conduct meaningful supplier security assurance activity, whilst also maintaining pace with business change.

Very often assurance activity is poorly conceived, executed with a ‘tick-box’ mentality and results in activity that bears little relation to the service being provided and most importantly, does not address the risks to the business.

A good supplier security assurance programme should demonstrate some, if not all the following key features.

Know and Assess Your Suppliers and Services

The fundamental requirement is to establish a relationship with your suppliers, understand the service that is being provided, and assess the risk that the service represents to your own operations.

  • The challenges of achieving a definitive supplier list will depend greatly on the maturity of your procurement process

  • Engagement with procurement teams is essential

  • It is not unusual for security assurance activity to underpin a holistic supplier management framework that includes other business functions who have a need to monitor supplier activity (e.g. Procurement, Legal and BCP/DR)

  • Each service/supplier should undergo a business risk/impact assessment. It is vital to involve the business service owners in the assessment

  • Each supplier should be categorised using a risk rating that will dictate the rigour of any security assurance activity

  • The risk assessment should be reviewed at regular intervals dependent upon the service risk

  • The assessment process should form a core part of initial supplier on-boarding and be applied retrospectively for legacy services.


Legal contracts and Service Level Agreements are vital to ensure clarity of security responsibilities and obligations between you and the supplier.  They may not, however, offer great comfort in the event of a major incident.

  • Place the onus on the supplier to demonstrate that they are able to provide a secure service

Key clauses to consider are:

  • Confidentiality clauses

  • Data Protection Act requirements

  • Data retention and disposal

  • Division of security responsibilities and definition of security roles

  • Right to audit and on-going commitment to share audit reports

  • Procedures in the event of an incident including reporting and forensics/investigative support

  • Specific minimum security standards that you expect (e.g. data classification and encryption)

  • Security Key Performance Indicators

  • Penalties for breaches of security

  • Expectations for outsourcing of supplier services.


Options for Assurance Activity

Your supplier security framework should specify what checks and activity needs to be undertaken for each supplier risk category. Options include:

  • Obtain and review independent certification and audit reports

  • If possible obtain references and speak directly with security teams in other customer organisations

  • Always check scope and provenance of ISO/IEC 27001 certification

  • Make use of supplier assurance questionnaires which can be self-written or based on a number of available frameworks

  • Ensure that questions are relevant to the service being provided, a ‘pick and mix’ approach from a core question set can be useful

  • A number of automated tools that provide response portals are available but not essential, it is more important to establish a mature process

  • Undertake site visits to validate information previously provided

  • Undertake supplier reviews at regular intervals, based on risk, and aligned with contract reviews/renewals.

On completion of assurance activity a remediation plan and review schedule should be defined.

When developing a supplier security assurance programme it is tempting to try and deliver a fully mature solution at the outset, however, given the co-ordination, dependencies and effort required, I would always recommend a gradual approach that can be developed and improved over time.


If you would like to discuss how Amethyst might help you develop your Supplier security assurance programme, please email us at

Contact us for more information

<< Back to Latest News items