A supply chain risk assessment is performed for suppliers of applications, IT equipment, OT equipment and services in order to assess the impact to a system’s security risk profile.
Topic
Cyber supply chain risk management activities
Applicable to
all
History
Priority
should
Jun 2024
A supply chain risk assessment is performed for suppliers of applications, IT equipment, OT equipment and services in order to assess the impact to a system’s security risk profile.
A number of existing controls relating to cyber supply chain risk management activities for ICT equipment were amended to refer to IT equipment and OT equipment.
Sep 2022
A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system’s security risk profile.
Language associated with cyber supply chain risk assessments for applications, ICT equipment and services ‘relevant to the security of systems’ was amended to ‘associated with systems’ noting that every part of a system can potentially impact its security risk profile.
Sep 2022
A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system’s security risk profile.
Language associated with ‘suppliers and service providers’ was amended to ‘suppliers’ noting that suppliers have now been defined within the glossary as encompassing application developers, ICT equipment manufacturers, service provides and other organisations involved in distribution channels.
Sep 2022
A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a system’s security risk profile.
The cyber supply chain risk management recommendations covering components and services were amended to applications, ICT equipment and services.
Dec 2020
Before obtaining components and services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk.
Security control 1452 was amended to build upon security control 1631 by focusing on components and services relevant to the security of systems, and how particular suppliers or service providers could increase systems’ security risk profile. Part of this security control involves identifying suppliers and service providers that are high risk.
Nov 2020
A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile.
Jul 2020
A review of suppliers and service providers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile.
Security control 1452 was amended to capture service providers as part of cyber supply chain risk management activities.
Jun 2020
A review of suppliers, including their country of origin, is performed before obtaining software, hardware or services to assess the potential increase to an organisation’s security risk profile.
2015
Agencies should perform a due diligence review of suppliers, including their country of origin,before obtaining software, hardware or services, to assess the potential increase to agencysecurity risk profiles.