in this playbook
- Ministerial foreword
- Executive summary
- Time to act
- Businesses are not managing cyber risk effectively
- Cyber Essentials can help secure your business
- How you can use Cyber Essentials to secure your supply chain
- Steps to embed Cyber Essentials in your Supply Chain
There have been too many occasions where we’ve seen first-hand the impact that cyber attacks can have on businesses. Supply chains can provide numerous points that attackers look to exploit, but only 14% of firms are on top of the potential risks faced by their immediate suppliers.
There have been too many occasions where we’ve seen first-hand the impact that cyber attacks can have on businesses. Supply chains can provide numerous points that attackers look to exploit, but only 14% of firms are on top of the potential risks faced by their immediate suppliers.That’s why we wrote to the UK’s leading companies, to set out steps to bolster their cyber security – including a specific action on securing supply chains using the Cyber Essentials scheme – which should be a priority for every company.
The Cyber Essentials Supply Chain Playbook we have developed with the NCSC is designed to help organisations manage their supply chains more effectively, ensuring their operations are protected every step of the way.
Liz Lloyd
Cyber Security Minister
Ministerial letter on cyber security
Cyber threats are an immediate and escalating danger to the UK’s economy, our businesses and our national security. Attacks are becoming more frequent and more damaging, with recent high-profile incidents showing how quickly operations can be disrupted and profitability eroded.
And it’s not just your own systems at risk: vulnerabilities in your supply chain can have a devastating impact on your organisation.
As the National Technical Authority for cyber security, the NCSC is calling on industry to build the cyber resilience of UK supply chains by championing the Cyber Essentials scheme and making it a standard requirement for suppliers.
We know we cannot succeed alone. Protecting the UK’s economic future requires leadership from the nation’s most influential companies.
Your commitment will set the tone for the entire economy. By acting now, you will not only protect your organisation but also strengthen the UK’s position as a secure, trusted environment for investment and innovation.
We are asking senior leaders to direct your procurement and information security teams to:
- Embed Cyber Essentials across your supply chain. This government-backed scheme provides a proven baseline of protection against common attacks.
- Implement Cyber Essentials technical controls within your own systems as part of a strategic approach to managing cyber risk.
This Playbook is designed to give your team the resources and guidance to help you embed Cyber Essentials into your supply chain, setting out steps to:
- Audit your supply chain by using the IASME Supplier Check tool.
- Scope whether all of your supply chain, or certain supplier security profiles will require Cyber Essentials as a Minimum Security Requirement.
- Take forward the most effective intervention option to embed Cyber Essentials within your supply chain.*
- Provide feedback and tell us what you’re doing to implement Cyber Essentials in your supply chain at sectorresilience@ncsc.gov.uk
*In our experience, if you want to see significant improvements in your supply chain security through Cyber Essentials, you need to require it. If you promote it among a small scope of suppliers, your impact will be limited.
High-profile, damaging cyber attacks have demonstrated attackers’ intent and ability to exploit security vulnerabilities in supply chains across the UK. Without basic cyber hygiene, suppliers will continue to be vulnerable as threat actors hone their focus on unprotected businesses.
Despite this, relatively few organisations take steps to formally review the risks posed by their immediate suppliers and wider supply chain.
This is often attributed to a lack of capacity, capability and tools within buying organisations.
Cyber Essentials can help.
Cyber Essentials provides a clear, efficient way for organisations to gain assurance that their suppliers, or other third parties, have good cyber security in place and that they are protected against most common cyber attacks.
Almost half (43%) of all UK businesses suffered a cyber attack over the last year.
- Cyber Essentials is a UK government-backed certification that demonstrates that your organisation has implemented the essential security controls that protect against most common cyber threats. It is the minimum standard of security that the NCSC would advise every organisation to achieve.
- Implementing just five key controls reduces risk, strengthens resilience, and gives stakeholders verified assurance that your organisation prioritises cyber security and meets recognised baseline standards.
We have highlighted how Cyber Essentials can address the challenges that many organisations face in securing and managing the cyber security of their supply chain.
Next, we outlined the actions you can take to embed Cyber Essentials into your supply chain.
Compiled as a series of actionable steps, we will recommend the activity you should consider and point to the tools and resources that can help you achieve each step.
- Assess your risks
- Profile your suppliers
- Set requirements
- Communicate expectations
- Incentivise adoption
- Embed into procurement processes
- Monitor adoption
1. Assess your risks
Effectively securing the supply chain can be hard because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain.
Before looking to mitigate, you should use the NCSC’s Supply Chain Principles to check you understand the risks including:
- understand what needs to be protected and why
- know who your suppliers are and build an understanding of what their security looks like
- understand the security risk posed by your supply chain
Also consider if the effects of a breach via the supplier would:
- adversely impact the organisation’s business operations or processes
- adversely impact the organisation’s reputation
- cause significant financial or legal, regulatory or contractual consequences
- affect the safety of your staff or customers
2. Profile your suppliers
Once this is done, you should define a set of supplier security profiles; consider creating different sets of requirements for different supplier sizes and types to ensure your requests are realistic, pragmatic and proportionate to the risk.
Use the NCSC’s Supply Chain Principles to check you understand the risks
Use NCSC guidance to help create a set of cyber security profiles
3. Set requirements
Once supplier security profiles have been developed, you should start to consider minimum security requirements for each security profile (which could include a minimum requirement for all suppliers) and consider whether Cyber Essentials is well-placed to reduce any risk and increase supply chain assurance efficiency.
Based on your business context, you could consider for each profile:
- Setting Cyber Essentials Certifications as a minimum-security requirement; and/or
- Aligning Supply Chain Assurance questionnaires to include Cyber Essentials controls and accepting a Certification as validation of these.
4. Communicate expectations
Once minimum-security requirements have been set you should consider how you communicate and enforce these with your suppliers.
Intervention options include:
- Raising awareness by signalling your intent through supplier letters and at supplier conferences.
- Incentivising Cyber Essentials adoption through Funded Vouchers, or the IASME Cyber Advisor Supply Chain Package.
- Ensuring these criteria influence procurement decisions, particularly in Request for Pricing (RfP) and Request for Quotation (RfQ) exercises.
- Requiring Cyber Essentials during contract renewals.
Communications resources
We have developed the following supporting resources to raise your supply chain’s awareness of Cyber Essentials:
5. Incentivise adoption
Based on your business context, you may decide to incentivise Cyber Essentials adoption across the relevant supplier security profiles.
Incentivising options include:
You can get in touch with supplychain@iasme.co.uk to find out more or visit http://iasme.co.uk/cyber-essentials/
6. Embed into procurement processes
Based on the level of operational, financial, reputational or data risk associated with a given supplier, you may choose that certain vendors must have a Cyber Essentials certificate (or demonstrate they have implemented these controls through other means ) to win your business and ask for these in Standard Contractual Clauses.
Alternatively, you may also choose to introduce weighted criteria that assesses a supplier’s cybersecurity credentials as part of a Request for Proposal or Request for Quotation.
In all these scenarios, you will need to work closely with your procurement (or third-party risk) teams to document and mitigate risk, and consider:
- when you will introduce these requirements
- how you build the ‘right to audit’ into contracts and exercise these
- penalties for non-compliance (e.g. no longer Cyber Essentials certified mid-contract)
- whether suppliers need to include the same requirements for any contracts they sub-let
- key performance indicators to measure the performance of your supply chain security management practices
7. Monitor adoption
To help organisations understand which suppliers are Cyber Essentials certified, IASME has developed the Supplier Check Tool.
The tool enables organisations to drop a large list of suppliers (up to 5,000) into a bespoke search function and find out which suppliers are certified to either Cyber Essentials or Cyber Essentials Plus.
This makes it significantly easier for organisations to check which suppliers are certified.
A completed CSV spreadsheet may be retained for up to 6 months to avoid creating a database each time.
The results may be viewed to screen or exported to Excel.
Visit the IASME Supplier Check Tool website to find out more.
