Supply chain security

Overview

What is supply chain security?

Supply chain security is the discipline of identifying and managing the security risks arising from the network of suppliers, service providers, and contractors that an organisation depends on. A weakness in a supplier, whether a cyber breach, a personnel issue or a physical compromise, can become the organisation’s problem, because the risk flows up the chain toward the entity that relies on it.

It works in both directions. An organisation manages the risk posed by its suppliers and, at the same time, passes its own security requirements down to them, often because its customers or regulators require it to.

The standard

ISO 28000:2022 and the security management system

ISO 28000:2022, Security and resilience — Security management systems — Requirements, is the international standard for managing security across the supply chain. It is the second edition, published in 2022, and replaces the 2007 edition. It sets out a management system that uses the same harmonised structure as ISO 27001 and ISO 22301, enabling an organisation to integrate supply chain security with its information security and business continuity management.

Like other management-system standards, it asks an organisation to understand its context and risks, set objectives, put controls in place, and improve over time, applied to the specific problem of the supply chain.

Third parties

Third-party and contractor risk

The core of supply chain security is third-party risk management: knowing who an organisation depends on, understanding the risk each supplier presents, and treating that risk proportionately. Critical suppliers warrant more scrutiny than minor ones, and the assessment should cover the supplier’s cyber, personnel, and physical security, not just its commercial standing.

This is the same risk discipline applied across the organisation, grounded in security risk management, focused on the supplier base.

Flowing down

Flowing requirements down the supply chain

Security requirements cascade. A government department imposes protective security requirements on its suppliers; a critical infrastructure operator passes SOCI obligations to its service providers; a prime contractor flows DISP-style requirements to its subcontractors. Each organisation in the chain has to meet the requirements imposed on it and impose appropriate requirements on those below it, usually through contracts.

ISO 28000:2022 gives an organisation a structured way to manage both directions, rather than handling each supplier relationship in isolation.

The connection

How supply chain security links to SOCI and risk management

Supply chain security is a thread that runs through several other frameworks. It is one of the hazard vectors a SOCI Act risk-management program must address, a domain the PSPF reaches through supplier contracts, and a requirement APRA’s CPS 230 places on financial services through material service-provider management. A single supply chain security approach, built on security risk management, can serve all of them.

How we help

How Agilient supports supply chain security

Agilient helps organisations understand and manage the security risk in their supply chains, and meet the requirements of their own customers and regulators impose. The work is independent and risk-based.

Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.