The threat moved to the supply chain
Attackers target the supplier to reach the customer. One weak link exposes everyone downstream.
Information Assurance since 2010
Supply Chain Assurance
Your security is only as strong as your weakest supplier. Most breaches now come through someone you trusted with access, data or code. We help you see your supply chain clearly, set the bar your suppliers must meet, and prove they actually meet it.
The discipline
What supply chain assurance means
Confidence, gained and kept, that the organisations you depend on are not your weakest link. Not a one-off questionnaire. A managed process.
Supply chain assurance is how you gain, and keep, confidence that the organisations you depend on are not your weakest link. It is a managed process: know your suppliers, judge the risk each one carries, set minimum security requirements, check they are met, and keep checking as things change.
The NCSC sets the standard for this in the UK. Its guidance runs to 12 principles across four stages: understand the risks, establish control, check your arrangements, and improve continuously. Its practitioner method, "assess and gain confidence in your supply chain cyber security", runs in five stages, from first approach through to embedding assurance in existing contracts.
Supply chain assurance is the ongoing process of understanding, requiring and verifying the cyber security of your suppliers. The NCSC sets out 12 principles across four stages: understand the risks, establish control, check your arrangements, and continuous improvement.
The case
Why it matters now
It is required, not optional
Government, defence and regulated buyers now have to assure their suppliers, and pass those requirements down the chain.
It decides who wins work
More tenders and framework agreements ask you to prove your own supply chain is controlled, and ask your suppliers to prove the same.
The rules are tightening
The Cyber Security and Resilience Bill is set to bring managed service providers into scope and create powers to designate critical suppliers.
The drivers
The UK requirements that drive this
Supply chain assurance is no longer just good practice. It is written into how the UK buys, regulates and contracts. We build your programme against the frameworks your buyers and regulators actually use.
| If you are... | The requirement | What it asks of your supply chain |
|---|---|---|
| Selling to government | PPN 014, Cyber Essentials Scheme (replaced PPN 09/14 and 09/23 in February 2025) | Cyber Essentials or Cyber Essentials Plus is required where contracts handle personal data, OFFICIAL information or sensitive government business, renewed every year. The trigger is data sensitivity, not contract value. |
| In the defence supply chain | MoD Cyber Security Model (CSM), via DEFCON 658 and Def Stan 05-138 | Cyber obligations flow down to every subcontractor touching MoD information. Suppliers self-assess against a risk profile (Levels 0 to 3) on the Supplier Assurance Questionnaire. |
| An operator of essential services | NIS Regulations 2018 and the NCSC Cyber Assessment Framework (CAF) | CAF Principle A4 (Supply Chain) expects you to understand and manage supplier risk to your essential functions, and to use supported, secure software. |
| In financial services | PRA SS2/21, FCA PS21/3, and the Critical Third Parties regime | Map and test the third parties behind your important business services, with due diligence, audit rights and exit plans for material outsourcing. |
| Handling personal data | UK GDPR Article 28 and the Data Protection Act 2018 | Use only processors that give sufficient guarantees, with due diligence and the same obligations flowed down to sub-processors. |
| Certified to a standard | ISO/IEC 27001:2022, controls A.5.19 to A.5.23 | Manage security in supplier relationships, agreements, the ICT supply chain, ongoing monitoring and cloud services. |
| Selling or building software | Software Security Code of Practice (DSIT and NCSC, 2025) | A voluntary baseline buyers can require and vendors can demonstrate, to cut software supply chain attacks. |
Cyber Essentials is the baseline the NCSC advises every organisation to require of its suppliers. As the NCSC's Supply Chain Playbook puts it, to see real improvement through Cyber Essentials, "you need to require it".
The work
What we do
We work both sides of the relationship: helping you assure your suppliers, and helping you pass the assurance checks your own customers run.
If you are assuring your supply chain
-
Map and tier
We help you build the picture: who your suppliers are, what they touch, and which ones carry real risk. Effort follows criticality, the way the NCSC method intends.
-
Set the bar
We turn "be secure" into requirements suppliers can meet and you can check: Cyber Essentials as the baseline, with more where the risk is higher.
-
Assess
Structured supplier questionnaires built on the NCSC Supplier Assurance Questions and ISO 27001 supplier controls, scaled to each supplier risk.
-
Verify, do not just ask
As an IASME Certification Body, we confirm a supplier Cyber Essentials status is real and in scope, not just claimed.
-
Validate the critical few
For your highest-risk suppliers, our CREST-qualified and Cyber Scheme testers can technically test what a questionnaire only asserts.
-
Embed and maintain
Assurance built into onboarding, contracts and renewals, with a register you can put in front of your board. Then we keep it current, because your supply chain keeps changing.
If you are a supplier being assessed
Told to get Cyber Essentials Plus to keep a contract? Sent a security questionnaire you do not know how to answer? Facing an MoD risk profile and an SAQ? We get you through it.
- We certify you to Cyber Essentials or Cyber Essentials Plus, in-house, as a Certification Body since 2014.
- We help you complete supplier assurance questionnaires honestly and well.
- We get you ready for defence requirements, including the Cyber Security Model and SAQ.
- We close the gaps a customer audit would find, before they find them.
The partner
Why assure with
Most providers do one part. We do the whole lifecycle, secure, assure and manage, under one roof. Anyone can send a questionnaire. We verify it, certify what falls short, and technically test the suppliers that matter.
We certify, not just question
Anyone can send a supplier a questionnaire. As an IASME Certification Body, we can verify certification, and actually certify the suppliers who fall short. That is assurance you can stand behind.
We can prove it, not just take their word
Questionnaires are self-attested. Our CREST-qualified and Cyber Scheme testers technically validate your critical suppliers, so claimed controls become tested ones.
We are grounded in the NCSC, not in jargon
The programme maps to the NCSC 12 principles, the five-stage assessment method, the Cyber Assessment Framework and PPN 014. Credibility your buyers and auditors recognise.
We are right-sized
Built for mid-market buyers with tens or hundreds of suppliers, and for the SME suppliers being asked to prove themselves. Tailored help, not an enterprise platform seat.
A Certification Body since 2014: one of the longest-standing in the UK. Government-grade rigour, made practical.
The process
How it works
Five steps, one firm from first call to renewal. Fixed price, clear deliverables, assurance kept current as your supply chain changes.
Start with a scoping call-
Scope
We confirm your goal: assuring suppliers, passing a customer check, or both. Fixed price, clear deliverables.
-
Map and assess
We tier your suppliers by risk and assess them in proportion, or we assess you against what your customer requires.
-
Verify and validate
Cyber Essentials confirmed at source; critical suppliers technically tested where it counts.
-
Report
A supplier risk register and board-ready assurance report, or your certificate and a clean questionnaire response.
-
Maintain
We track renewals and reassess as your supply chain changes, because assurance is continuous, not a one-off.
Across the lifecycle
Beyond the baseline
Supply chain assurance connects to the rest of what we do. Cyber Essentials sets the baseline, penetration testing proves the controls, and CAF readiness takes regulated organisations further. One firm, across the lifecycle.
Questions
Supply chain assurance FAQs
What is supply chain assurance in cyber security?
Supply chain assurance is the ongoing process of understanding, requiring and verifying the cyber security of your suppliers, so a weak supplier cannot become your breach. The NCSC frames it in 12 principles across four stages: understand the risks, establish control, check your arrangements, and continuous improvement.
What is the difference between supply chain assurance and third-party risk management?
They overlap heavily. Third-party risk management is the broader discipline of managing risk from any third party. Supply chain assurance is the cyber-security-focused part: gaining evidence-based confidence that suppliers meet your security requirements, and keeping that confidence current.
How do I assess the cyber security of my suppliers?
Map your suppliers, tier them by how much risk they carry, then assess each in proportion. The NCSC publishes Supplier Assurance Questions to structure this. We add verification: confirming Cyber Essentials at source, and technically testing your most critical suppliers.
Do my suppliers need Cyber Essentials?
If you sell to UK government, PPN 014 means many of your suppliers must hold Cyber Essentials or Cyber Essentials Plus where they handle personal data, OFFICIAL information or sensitive business. More widely, the NCSC advises requiring Cyber Essentials as the baseline across your supply chain.
What does PPN 014 require?
PPN 014, which replaced PPN 09/14 and 09/23 in February 2025, requires public-sector contracting authorities to mandate Cyber Essentials or Cyber Essentials Plus where a contract involves sensitive data, renewed annually. The level required is driven by data sensitivity.
How does Cyber Essentials help secure my supply chain?
Cyber Essentials proves a supplier has the five controls that stop the most common attacks. Requiring it sets a recognised baseline across your suppliers. As the NCSC says, to see real improvement you must require it, not just recommend it. We verify and certify it as a Certification Body.
What are the NCSC's principles of supply chain security?
The NCSC sets out 12 principles in four stages: understand the risks, establish control, check your arrangements, and continuous improvement. They cover knowing your suppliers, setting minimum requirements, building security into contracts, and building assurance into how you manage the chain.
Can you help us pass a customer's security assessment?
Yes. If a customer requires Cyber Essentials Plus, a completed assurance questionnaire, or a defence risk profile, we get you certified and ready. As a Certification Body since 2014, we certify in-house and help you answer assurance checks credibly.
How does this apply in the defence supply chain?
The MoD Cyber Security Model flows cyber requirements down through DEFCON 658 and Def Stan 05-138. Suppliers self-assess against a risk profile via a Supplier Assurance Questionnaire. We help you reach the required level and evidence it.
How often should supplier cyber security be reviewed?
Assurance is continuous, not a one-off. Certifications such as Cyber Essentials renew annually, and you should reassess when a supplier role, access or risk changes. We track renewals and reassess as your supply chain evolves.
Assure the supply chain you depend on
Stop trusting on a questionnaire. Verify it, certify it, and test the suppliers that matter, with a Certification Body that has done this since the scheme began in 2014.