NCSC issues new supply chain mapping guidance

The NCSC has published a new addition to its supply chain guidance with a focus on the process of supply chain mapping.

Supply chain mapping is the process of recording, storing and using information gathered from suppliers who are involved in a company’s supply chain. The new information focuses specifically on this aspect of the supply chain operation and is aimed at procurement specialists, risk managers and cyber security professionals.

Ian McCormack, deputy director for government cyber resilience at the NCSC, said: “Supply chain mapping follows the principles of all good risk management. Organisations need to understand the risks inherent in their supply chain, and then introduce security measures that are in proportion to the likelihood – and impact – of those risks materialising. The goal is to have an up-to-date understanding of your network of suppliers, so that cyber risks can be managed more effectively, and due diligence carried out.”

The new guidance details a number of aspects of supply chain mapping, including: what supply chain mapping is, why it’s important and how it can benefit your organisation; what information it will typically contain; the role of sub-contractors that your suppliers may use; and what this means when agreeing contracts.

“The exact approach will depend upon your organisation’s procurement and risk management processes, and the tooling that you have available to you. However, if you’re not sure where you start, we encourage you to read both the Supply Chain Mapping document and also our guidance on How to Assess and Gain Confidence in your Supply Chain Cyber Security.”

Readers may access these two documents here:

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.