5 min read
IASME Cyber Essentials was introduced by the UK Government to help small businesses tackle cyber threats and prove to their customers and clients...
What questions are included in a supply chain cybersecurity self-assessment questionnaire?
How do I complete a supply chain security survey?
By the end of this guide, you will know how to complete a supply chain security survey as we detail the why, how and who of completing a cybersecurity supplier survey. Most importantly, we will address what to do if you are not meeting the minimal supply chain security standards.
There is also a useful downloadable template: 'Cybersecurity self-assessment questionnaire template' to help you practice with your response.
The questions you are expected to answer in a supply chain security survey will differ from one client or tender to another. This is because each supply chain and organisation has it's own individual risks. That said, the questionnaires we have completed on behalf of our clients have had consistent themes, as they aim to find out:
Who is responsible for cybersecurity at your business.
What’s your organisation’s culture and attitude toward cybersecurity – do you take it seriously?
Processes and documentation you have in place.
How you control access and use their information/assets. This includes IT systems and physical premises.
If you meet the base level of cybersecurity for businesses recommended by GCHQ/NCSC including meeting or working towards Cyber Essentials accreditation.
If you go above and beyond to proactively protect your organisation against cybersecurity threats, to meet higher cybersecurity certification IASME Governance.
Here's a list of questions typically found in supply chain self-assessment security surveys. This is not a definitive list. Please bear in mind that the questions will be adapted, specific and proportionate to security of the client's business/supply chain.
Download a free cybersecurity self-assessment questionnaire template, by clicking the download link below:
The individual/s completing the assessment should know your organisation's cybersecurity controls inside out. In a large corporate, the chief information security officer (CISO) answers and signs off cybersecurity self-assessment questionnaires. Chief information security officers have ‘hands-on’, technical experience, and an in-depth understanding of cybersecurity – consequentially, they are ideal to complete the survey.
If you outsource cybersecurity, then the IT company managing your cybersecurity should answer the security questions. It is important the survey is completed by individuals that fully understand the questions being asked, and ultimately have a technical understanding of cybersecurity.
While your security partner should complete the questionnaire, the self-assessment is signed off in-house by the individual that has overall responsibility of cybersecurity; be it the business owner, managing director, operations director or IT manager.
Each business has unique processes, policies, security controls, IT infrastructure and technology stack. While the answers to a cybersecurity supplier survey need to be specific to your organisation, listed below are useful guidelines to help complete the exercise:
Don’t be ambiguous. The survey is designed to encourage transparency and a collaborative approach to cybersecurity. Being clear and factual will help to build trust with your client or prospective client.
Leading from the previous point, consider using SMART objectives to answer the questions. This will ensure the right degree of detail, particularly when describing your future security goals:
This isn’t a novel. Cybersecurity can be complex, therefore help the reader by structuring your answers to make it easy to digest. Use plain English, short sentences, bullet points and subheadings - whatever helps to communicate your answers in the simplest format.
Build trust and develop a long-term relationship with your supply chain by answering honestly. Bear in mind that you could be audited in the future, so honesty is the best policy.
Expect to provide evidence in your approach to security and in your ability to meet their minimum security requirements. You may be asked for further evidence as you progress through the bidding stages, so be prepared and keep up to date with reports and timetabled reviews.
Cybersecurity is a young, developing discipline. It’s widely accepted that smaller organisations are at the early adoption stage, and you will be allowed time to improve your security posture. Detail your plans for the future, but be prepared to provide timescales and plans that demonstrate how you intend to achieve them.
It’s important to demonstrate a continuous improvement mentality. Cyber threats get more sophisticated over time, and so too must your cyber resilience. Small changes can yield significant improvements over time, and your organisation must demonstrate an appreciation for this, be it through regular meetings, reviews or planned improvements.
Include the security certification you have passed or are working towards, such as Cyber Essentials or IASME supply chain security certification. Remember to use SMART objectives to provide an indication of when you expect to pass the certification if you are working towards certification, and specify any renewal/reassessment dates.
It’s never too late to implement cybersecurity measures. First, ensure your organisation has a senior leader accountable for cybersecurity. Secondly, evaluate your existing security. A security audit carried by a reputable cybersecurity business will expose your security strengths and weaknesses. Next, put a plan together to continually improve your security, then regularly review.
If you don’t already include cybersecurity in your leadership meetings, then there’s no better time like the present. Add cybersecurity to the agenda and treat cybersecurity like you would finance, reviewing with the same frequency.
It is also possible to quickly turnaround and implement new security policies using a reputable, outsourced cybersecurity provider (prior to sending back the completed cybersecurity self-assessment questionnaire). Cybersecurity providers regularly draft cybersecurity policies, with the skillset to customise for your organisation.
Remember, the sooner you demonstrate security improvements, the better.
If you are having trouble meeting some elements of the security criteria, don’t worry. Mention any sticking points or why you have not been able to pass certification such as Cyber Essentials. It’s important that the client requesting the questionnaire knows where you stand. This is an opportunity to explain why the letter of the scheme cannot be met and define the steps you are taking to manage these risks through, for example, compensating security measures.
It’s likely they will provide you with guidance – after all, it’s in their best interests. Large clients will aim to build partnerships with a shared cyber ethos, rather than dictate.
Until recently, very few UK businesses defined the minimum-security standards for their supply chain. Today, cybersecurity supply chain surveys are commonplace, either as part of a tender or part of ongoing supply chain security auditing. Businesses are making a conscientious effort to raise the baseline level of cybersecurity in their supply chain.
But why? In recent years, cybercriminals have taken advantage of security weaknesses in supply chains. It doesn’t matter if you have the greatest cybersecurity, if a supply chain network can be infiltrated through 1st, 2nd or 3rd tier supplier’s poor cyber hygiene.
Supply chain cyberattacks can be catastrophic to the organisations entwined in the supply chain. A series of high-profile, damaging attacks have illustrated how attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is genuine and growing.
The complexity of supply chains makes it difficult to influence the security of your suppliers. Cybersecurity self-assessment questionnaires are just one element of supply chain cybersecurity. Following the survey, clients aim to:
Implementing security measures takes time, but the long-term investment is worthwhile. Improving your overall resilience will reduce the number of business disruptions and the damage they cause. It will also demonstrate compliance with GDPR, the Data Protection Act. But most importantly, it may help you win new contracts, because of the trust you have gained through implementing cybersecurity measures.
Completing a cybersecurity self-assessment questionnaire can be difficult if you are not a cybersecurity expert, however, help is available.
Get in touch with our team if you need help with:
2 min read
We are often asked: What is a firewall and what does it do? Why do I need it for my business? Firewalls are an essential part of any business network...
8 min read
Following the distressing news of Russia’s invasion of Ukraine, Lindy Cameron, CEO of the National Cyber Security Centre (NCSC) has advised all UK...