A lot of organisations struggle with structuring a robust cyber security approach to their supply chain and a failure to act could lead to a serious breach for all those involved.<\/p>\n\n\n\n
ADAS Ltd<\/a> is a cybersecurity consultancy supporting local business across North Wales in bridging this gap. In this blog, Savva Pistolas – the Technical Director at ADAS Ltd<\/a>, addresses risks to supply chains, collaboration on security across business networks, and how to identify viable trusted partners. Savva was previously a supervisor within the Cyber PATH<\/a> team at the National Cyber Resilience Centre Group<\/a> – supporting on the development and delivery of our services across the England and Wales business landscape.<\/p>\n\n\n\n The supply chain security challenge: Why traditional approaches fall short<\/p>\n\n\n\n The traditional procurement process to involve other businesses or teams in your organisational endeavours has always been centred around cost, quality and delivery of shared objectives. In recent years security questionnaires have become commonplace when prospecting with larger organisations.<\/p>\n\n\n\n Recipients are asked to answer a set of questions on the posture of their organisation, and whether they have any supporting evidence or certification of this. For SMEs, this can be a difficult piece of work that ends up serving as a gap analysis of \u2018things we don\u2019t seem to have in place\u2019. For SMEs looking to use them themselves as a way of assessing their own supply chain, it can be quite an overbearing piece of infrastructure to set up and keep track of.<\/p>\n\n\n\n Imagine trying to assess the security posture of a potential supplier when one organisation considers “we have antivirus software” to be sufficient endpoint protection, whilst another implements enterprise-grade endpoint detection and response solutions with 24\/7 monitoring. Both might tick the same box on a security questionnaire, but the actual level of protection they provide is worlds apart. There\u2019s also the need to assess the validation of the answers \u2013 and identify any errors on the submission. So, it can be quite time intensive when you\u2019re really trying to just collaborate with a potential new business partner.<\/p>\n\n\n\n The challenge is compounded by the fact that different organisations have vastly different risk appetites. A startup might be comfortable accepting certain security risks in exchange for rapid growth, whilst a well-established enterprise might have much more conservative attitudes to risk. When these organisations need to work together, how do you create a common understanding of what constitutes acceptable security?<\/p>\n\n\n\n Cyber Essentials Plus: A universal language for security controls<\/p>\n\n\n\n This is precisely why IASME\u2019s Cyber Essentials Plus (CE+) and Cyber Assurance Framework (ICA) represent a significant opportunity for organisations looking to create supply chains that sit on the same page. Unlike risk-based approaches that allow for subjective interpretation, CE+ and ICA is fundamentally a control-based standard – and this distinction is absolutely crucial.<\/p>\n\n\n\n When an organisation achieves Cyber Essentials Plus or Cyber Assurance Level 2 certification, they’re not just saying they’ve assessed their risks and are comfortable with their current security posture. They’re demonstrating that they’ve implemented specific, measurable controls that have been independently verified through technical testing and interview with a government-recognised certification body. The controls are either there or they\u2019re not. The policies are either there or they\u2019re not. The effort was either exercised, or it wasn\u2019t. A simple way of communicating risk management across organisational boundaries, that\u2019s government backed!<\/p>\n\n\n\n An investment on multiple fronts<\/p>\n\n\n\n Pursuing CE+ or ICA for your own organisation is a good way to bolster and demonstrate your own security efforts but also serves as a great way to develop this universal language of reference for understanding other organisations that have undertaken the same journey.<\/p>\n\n\n\n The best part is that the standard retrofits to your existing suppliers. You can start to ask providers and partners to pursue the standard for themselves. If it\u2019s a journey you want to undertake alongside your supply chain, then there\u2019s absolutely nothing wrong with collaborating with other organisations on policy design, control implementation advice, or recommended providers. Economies of scale are very real here, and you might find that other organisations have the exact same appetite for digital maturity as you do \u2013 and are open to collaborate to achieve a shared goal.<\/p>\n\n\n\n Moving forward: CE+ as your competitive advantage<\/p>\n\n\n\n Implementing CE+ as a supply chain security standard isn’t just about risk mitigation – it’s becoming a competitive advantage as a pre-validated security posture for potential clients. In an increasingly connected business landscape, organisations that can provide \u2018instant assurance\u2019 about their security posture and that of their suppliers will be better positioned to win contracts, build partnerships, and maintain customer trust.<\/p>\n\n\n\n For businesses across North Wales and beyond, this represents a significant opportunity. By adopting standardised, verifiable security controls and requiring the same from your suppliers, you’re not just protecting your own organisation – you’re contributing to a more secure business ecosystem that benefits everyone.<\/p>\n\n\n\n As cyber security professionals, we’re committed to supporting local businesses through this transition and have a wealth of inhouse experience. Whether you’re looking to achieve CE+ certification yourself, implement CE+ requirements across your supply chain, or simply better understand how these standards can benefit your organisation, you should reach out and say \u2018hello\u2019. We\u2019d love to talk to you.<\/p>\n\n\n\n The question isn’t whether supply chain security will become a critical business requirement – it already is. CE+ and ICA Level 2 provides the framework for a proactive approach, with standardised controls that create trust and transparency across organisational boundaries. If you\u2019re silently crying out for a roadmap towards a better supply chain, this is it.<\/p>\n\n\n\n