Supply Chain Risk Assessment
Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic
Our Supply Chain Risk Assessment helps you identify critical procurement risks and ensures that your vendors and suppliers take just as much care with your organisation’s data as you do.
Performing a Supply Chain Risk Assessment quantifies the risks that your organisation faces due to information sharing with your suppliers, vendors, and partners. Supply chain attacks present a complex range of vulnerabilities to your data and are often subtle, sophisticated and devastating – targeting weaker supply chain links within your supplier network to bypass stronger protections that your organisation may have in place.
During a supply chain attack, cybercriminals may exploit inadequate access controls, outdated software, or weak encryption protocols within one of your supplier’s systems. Such attacks can disrupt your operations, cause reputational damage, and lead to regulatory non-compliance, especially if your industry has stringent data protection requirements.
For organisations, managing these risks requires a proactive approach that includes regular risk assessments, supplier cybersecurity vetting, and establishing stringent cybersecurity standards and monitoring practices within their supply chains. This approach not only enhances resilience but also fosters greater trust and transparency between organisations and their suppliers.
How can SecureTeam help?
Our Supply Chain Risk Assessment provides a detailed examination of your supplier’s working practices and technical controls to ensure that they are treating your organisation’s data with as much care as you are. By undertaking a thorough assessment process of your individual suppliers, we identify the real-world impacts that may affect your data if one of your suppliers were to suffer a cyber security breach. Our consultancy team will highlight key risk areas and will provide tangible actions that your suppliers can adopt to improve their own security, which in turn reduces the cyber risks that may affect your organisation’s data.
The delivery process to our Supply Chain Risk Assessment is as follows:
Documentation Review
Our Supply Chain Risk Assessment service starts with us reviewing the existing documentation that your organisation uses to manage your suppliers. Our consultancy team will conduct a review of the following documents, if these are available:
- Supplier Contracts and Agreements
- Service Level Agreements (SLAs)
- Supplier Data Processing Agreements (DPAs)
- Supplier Cybersecurity Policies and Standards
- Previous Supplier Risk Assessments and Audits
- Incident Response and Business Continuity Plans that involve your suppliers
- Third-Party Risk Management Policies
Creating a Supplier Security Policy (Optional)
If your organisation does not already have a Supplier Security Policy in place, our consultancy team can create one for you if required.
A Supplier Security Policy serves as a comprehensive outline of your organisation’s security expectations and requirements that suppliers must meet to work with your organisation and reduce your overall supply chain risk. This policy would be designed to protect your data, infrastructure, and operations by ensuring that all suppliers follow robust cybersecurity practices aligned with industry standards.
Typically, the Supplier Security Policy would cover the following key areas:
- Access Control and Data Handling
- Cybersecurity Standards and Compliance
- Incident Response and Reporting
- Data Protection
- Staff Security Vetting
- Risk Management and Audits
- Business Continuity and Disaster Recovery
- Staff Training and Awareness
- Vulnerability Management
By delivering this Supplier Security Policy to your suppliers, it allows you to communicate your cybersecurity requirements, strengthening security across the supply chain, reducing vulnerabilities, and fostering a culture of shared accountability.
Supply Chain Risk Workshop
Following an initial review of your organisation’s supplier related documentation, we will conduct a remote workshop with key individuals in your organisation who are involved in information governance, cyber security and your organisation’s procurement process. During this workshop, our consultant will discuss the following for each supplier that you wish to be reviewed:
- Proposed / Existing Supplier relationship(s)
- The data that is handled or processed by the supplier
- Potential impact of a Supplier Data Breach
- How does the supplier access your data or systems?
- Overview of our Supplier Questionnaire
Bespoke Supplier Security Questionnaire
Our consultancy team will create a supplier questionnaire that you can send out to your suppliers and capture information about their current certification and processes and policies that they have in place to safeguard your data. Based around the UK’s National Cyber Security Centre’s 12 Principles of Supply Chain Security, our Supplier Questionnaire covers the following key areas:
- Security governance
- Managing and recovering from incidents
- Protecting their network
- Protecting data
- Offshoring
- Personal data
- Personnel security
- Physical security
- Vulnerability Management
- Independent testing and assurance
- Other contractual considerations
During the Supply Chain Risk Workshop, you also have the opportunity discuss other industry-specific questions that you may wish to add to your organisation’s Supplier Questionnaire.
Your Suppliers Complete the Security Questionnaire
At this stage, our consultancy team will prompt you to issue the Supplier Questionnaire out to your suppliers. Within the questionnaire, your suppliers will be prompted to provide further documentation that can support their current cyber security posture. This documentation may include any or all of the following documents if they are available:
- Cyber Essentials Certificate
- Cyber Essentials Plus Certificate
- ISO 27001 Certificate
- ISO 9001 Certificate
- Supplier Security Policy (for your supplier’s supply chain)
- Evidence of annual Penetration Testing
- Evidence of recent Vulnerability Scans
- Incident Response Plan (IRP)
- Disaster Recovery (DR) Plan
- Cyber Insurance Policy
We recommend that you set a deadline on the completed questionnaires and supporting documentation being returned by your suppliers, so that the next stage in the Supply Chain Risk Assessment can continue.
In order to ensure that we receive questionnaire responses that are endorsed by the organisation’s Senior Leadership Team (SLT), we will request that completed questionnaires are signed by a director or legal representative of the organisation to confirm that the contents of the questionnaire are true and correct.
Supply Chain Risk Assessment
Upon receiving the completed questionnaires from your suppliers, along with any supporting evidence, our consultancy team will conduct the Supply Chain Risk Assessment.
For each question in the Supplier Questionnaire, our consultants will assess your supplier’s answers and identify any potential risks that may affect your organisation’s data or systems.
All answers in the questionnaire will be allocated a RAG (Red, Amber or Green) status and a description of the risk and potential impact will be documented.
Where your supplier has provided certificates (such as Cyber Essentials or ISO 27001 certification), our team will validate all compliance certificates that have been provided to ensure they are genuine and are the latest versions.
Preparing for your Supply Chain Risk Assessment
- Supplier Contracts and Agreements
- Service Level Agreements (SLAs)
- Supplier Data Processing Agreements (DPAs)
- Supplier Cybersecurity Policies and Standards
- Previous Supplier Risk Assessments and Audits
- Incident Response and Business Continuity Plans that involve your suppliers
- Third-Party Risk Management Policies
Availability of key individuals who are responsible for supplier procurement, data protection and information security to attend the Supply Chain Risk Workshop.
Prior to the work commencing, our consultant(s) will introduce themselves and discuss the scope of work with you, so you can ask any questions about our process.
Debrief Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
Reporting
At the end of the Supply Chain Risk Assessment, a comprehensive report will be created which outlines each of the in-scope suppliers, with a risk profile being assigned to each one.
For each supplier, we will document the answers to their questionnaire questions – highlighting areas that our consultants feel would present a risk to your data or services. Specific real-world risks will be highlighted against each supplier, alongside the potential impact to your data and systems if the supplier were to suffer a security breach.
Where a potential risk has been identified, our consultant will also provide a high-level recommendation on how your supplier could improve. This allows you to communicate pragmatic feedback to your suppliers, so that they can not only improve their own cyber security posture, but in turn improve the secure handling of your data or services.
Where suppliers have provided certification and audit information, we will outline the certificates that they have in place and indicate when these certificates are due to expire.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
Why Choose SecureTeam?
- UK-based Consultancy Team
- Customer Focused
- Security Vetted Consultants
- Ethical Scoping & Pricing
- 25+ Years Industry Experience
- ISO 9001 & 27001 Certified
- CREST Accredited
- Comprehensive Reporting
Ready to take your cyber security to the next level ?
Trusted Cyber Security Experts
As an organisation, SecureTeam has provided penetration testing and cyber security consultancy to public & private sector organisations both in the United Kingdom and worldwide. We pride ourselves in taking a professional, pragmatic and customer-centric approach, delivering expert cyber security consultancy – on time and within budget – regardless of the size of your organisation.
Our customer base ranges from small tech start-ups through to large multi-national organisations across nearly every sector – in nearly every continent. Some of the organisation’s who have trusted SecureTeam as their cyber security partner include:
Customer Testimonials
"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"
IoT Solutions Group Limited
“First class service as ever. We learn something new each year! Thank you to all your team.”
Royal Haskoning DHV
“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”
Capital Asset Management
“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”
Derbyshire County Council
“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”
AMX Solutions
“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”
Innovez LtdGet in touch today
If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.
Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.
We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.
Get in touch with us today and a member of our team will be in touch to provide you with a quotation.
Subscribe to our monthly newsletter
If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter.
We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all our cyber security news and articles that we’ve released that month.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)