Skip to main content

Part of Objective A – Managing risk

Principle A4: Supply chain

Previous Chapter

Principle A3: Asset management

Current Chapter

Current chapter – Principle A4: Supply chain

View all
Page contents

A4.a Supply chain

Description

The organisation understands and manages security and information governance (IG) risks to information, systems and networks supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.

Expectation

The expectation for this contributing outcome is Partially achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. You do not know what data belonging to you is held by suppliers, or how it is managed.

NA#2. Elements of the supply chain for essential function(s) are subcontracted and you have little or no visibility of the sub-contractors.

NA#3. You have no understanding of which contracts are relevant and/or relevant contracts do not specify appropriate security or information governance (IG) obligations.

NA#4. Suppliers have access to systems that provide your essential function(s) that is unrestricted, not monitored or bypasses your own security controls.

NA#5. IG is not factored into the procurement process.

NA#6. You are not sure if any data shared with suppliers leaves the UK, or if all international data transfers are covered by a legal protection.

Partially achieved

All the following statements are true:

PA#1. You understand the general risks suppliers may pose to your essential function(s).

PA#2. You know the extent of your supply chain that supports your essential function(s), including sub-contractors.

PA#3. You understand which contracts are relevant and you include appropriate security and data protection obligations in relevant contracts.

PA#4. You are aware of all third-party connections and have assurance that they meet your organisation’s security and IG requirements.

PA#5. Your approach to security and data protection incident management considers incidents that might arise in your supply chain.

PA#6. You have confidence that information shared with suppliers that is necessary for the operation of your essential function(s) is appropriately protected from well-known attacks and known vulnerabilities.

PA#7. All international data transfers to suppliers are covered by a legal protection.

Achieved

All the following statements are true:

A#1. You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as IG considerations, due diligence, supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.

A#2. Your approach to supply chain risk management considers the risks to your essential function(s) arising from supply chain subversion by capable and well-resourced attackers.

A#3. You have confidence that information shared with suppliers that is essential to the operation of your function(s) is appropriately protected from sophisticated attacks.

A#4. You understand which contracts are relevant and you include appropriate security and data protection obligations in relevant contracts. You have a proactive approach to contract management which may include a contract management plan for relevant contracts.

A#5. Customer/supplier ownership of responsibilities are laid out in contracts.

A#6. All network connections and data sharing with third parties is managed effectively and proportionately.

A#7. When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.

A#8. You routinely liaise with other teams to keep track of changes to services that impact your organisation’s agreements.

A#9. All international data transfers to suppliers are covered by a legal protection.

A#10. Your processor has appropriate certification and agree to be audited either by your organisation or an independent auditor.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing – Partially achieved

1. Supplier risks - ascertain how the organisation identifies and documents risks posed by suppliers to its essential functions. (PA#1)

2. Knowledge of supply chain - verify that the organisation has understood and documented all suppliers who support its essential functions. Where possible, this should include sub-contractors involved in the services supporting the essential functions. Where identifying sub-contractors is not possible, the organisation should document the efforts they have made to acquire this information. (PA#2)

3. Supplier contracts - obtain a sample of the organisation’s supplier contracts. Verify that:

  1. Appropriate cyber security and data protection obligations have been included. (PA#3)
  2. The data being shared by the organisation is clearly documented and understood by both parties. (PA#3, PA#6, A#3)

4. Third-party connections - obtain evidence that the organisation has documented all third-party connections to its networks. Verify what assurance the organisation has in place that each third-party connection and the vendor it belongs to meets the organisation’s cyber security and information governance requirements. Where gaining assurances is not possible, the organisation should document the efforts they have made to acquire this information. (PA#4)

5. International data transfers - verify that the organisation understands and documents all countries where data is being processed as part of its supplier-offered services. Obtain evidence that there are either adequacy decisions in place for these countries, or where there is no adequacy decision the organisation has appropriate legal mechanisms in place to facilitate the data transfer. (PA#7, A#9)

6. Supplier assurance - verify what assurances the organisation obtains from suppliers to ensure that they meet the organisation’s security and IG requirements. The assurances should be sufficient to confirm that information shared with the supplier is appropriately protect from well-known attacks and known vulnerabilities. (PA#6)

7. Incident management – discuss the incident management process and assess whether third-party incidents are considered. Verify that the organisation has agreed specific measures in their process to aid their response to incidents involving third parties. (PA#5)

Additional approach to testing – Achieved

1. Detailed supplier risks - obtain evidence that the organisation has identified and documented risks posed by suppliers to a deep level of detail. Verify that the organisation interrogates these risks as part of its risk assessment and procurement processes before onboarding suppliers. The risk considerations should include specific IG and cyber risks which emerge as a result of the supplier’s sub-contractors, the supplier’s partnerships and the supplier’s geographic location. (A#1)

2. Supply chain risk management - obtain evidence that the risks documented in step 1 have been discussed and reviewed by responsible decision-makers within the organisation. Where subversion of suppliers’ services would cause unacceptable consequences, mitigations should have been discussed, with short-term and long-term plans for remediation. (A#2)

3. Assurance against sophisticated attacks - verify what assurances the organisation obtains from suppliers to ensure that they meet the organisation’s security and IG requirements. The assurances should be sufficient to confirm that information shared with the supplier is appropriately protected from sophisticated attacks. (A#3)

4. Contract management plan – verify whether the organisation has a contract management plan in place which allows for regular review of important contracts. (A#4)

5. Roles and responsibilities - obtain the list of supplier contracts and obtain a sample. Verify that the customer/supplier ownership of responsibilities are laid out in those contracts. (A#5)

6. Network connections and data sharing - obtain evidence that the organisation understands and documents third-party connections to its network and data sharing with third-parties. Assess the supplier management processes the organisation has in place for ensuring that these connections and data being shared are necessary and proportionate for the services being provided, and obtain evidence that these processes are followed. (A#6)

7. Incident management process - obtain and inspect the organisation’s incident management process, and assess whether suppliers’ roles and responsibilities are documented. Request evidence of assurance the organisation has received from their most critical suppliers of mutual support during incidents. (A#7)

8. Changes in services - verify that the organisation has a scheduled or efficiently reactive process for liaising with other teams to keep track of changes to services that impact cyber security and information governance-related understandings and agreements with suppliers. Obtain evidence that this process is followed and changes are made where necessary without undue delay. (A#8)

9. Certification and right to audit - verify that as part of the organisation’s procurement processes, there is a requirement for supplier certifications to be obtained prior to the contract being signed. For the suppliers who the organisation has identified as most critical to the operation of its essential functions, contracts should also include a right to audit, based on specific parameters relevant to the services being provided. (A#10)

Suggested documentation – Partially achieved

Suggested documentation includes:

  • documentation showing supplier risks to essential functions
  • lists of suppliers and sub-contractors
  • supplier contracts
  • documentation showing third-party connections
  • evidence of international data transfers being considered as part of supplier management processes
  • supplier assurances regarding their cyber security and information governance practices
  • incident management process documentation

Additional documentation – Achieved

Additional documentation includes:

  • documentation showing detailed supplier risks to essential functions
  • procedures for supplier risk management
  • contract management plan
  • procedures for managing third-party connections and data sharing
  • supplier assurances of incident support
  • procedures for cross-organisational tracking of changes in services
  • evidence of right to audit for critical suppliers

Last edited: 2 January 2025 12:01 pm

Chapters

  1. Objective A – Managing risk
  2. Principle A1: Governance
  3. Principle A2: Risk management
  4. Principle A3: Asset management
  5. Principle A4: Supply chain