October 5, 2022

Last Updated on January 18, 2024

Supply chain risk management (SCRM)—drilling multiple levels down into your suppliers’ risks and how they interrelate—is neither easy nor quick. But it’s essential to identifying and mitigating potentially critical cybersecurity and/or compliance risks, especially in software supply chains with their nested API calls and cloud complexities.

Can any of today’s top cybersecurity frameworks, like ISO 27001, provide some guidance or answers for managing software supply chain risk?

To explore software supply chain risk and strategies for managing it, Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance, SGS, joined a recent episode of The Virtual CISO Podcast. Hosting the show as always is Pivot Point Security’s CISO and Managing Partner, John Verry.

Context is king

As Willy points out, an org’s context is the cornerstone of ISO 27001 certification. Context is also the starting point for all forms of risk management, including software supply chain risk.

“If John & Willy, Inc. is designing containers for medication, and we use a third-party CAT supplier in China to develop our molding tool, that’s fine,” Willy posits. “But if you happen to be a space exploration company and decide to outsource your CAT design to China, you might fall into some legal challenges in terms of export control. So we need to understand that. And that has implications in terms of which suppliers we can use, and what information we are sharing with our suppliers.”

Driving better risk assessment

John observes that whether you’re looking at cybersecurity or business continuity, the real question with managing supply chain risk is, how realistic is your risk assessment?

“We talk about a risk, like the risk that data might not be available or the risk that a vendor might go out of business,” states John. “But sometimes we don’t go to that next level of, how can this risk be realized? And we don’t go through the scenarios under which a risk could be realized.”

Getting into realistic scenarios is how you discover things like your two top XYZ vendors happen to be in the same geographic region, and what that might mean if there was a tsunami, earthquake, or political upheaval. This deeper analysis makes it more likely that you can identify supply chain risks and impacts.

Take a look at NIST 800-161

NIST 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, addresses concerns about “the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain.” These risks reflect reduced visibility into how third-party technology is developed, integrated, and deployed, especially around security.

NIST 800-161 specifically helps with integrating cybersecurity supply chain risk management (C-SCRM) into other risk management activities. Its Appendix F includes targeted guidance around software supply chain risks.

“Cybersecurity supply chain risk management is a really important concept that we need to instill into our organizations,” notes Willy. “We really need to understand the cybersecurity implications of our supply chains, and this document talks about it in great detail. It’s heavy stuff to read, let alone implement, but definitely a great source of inspiration.”

In particular, NIST 800-161 talks about all the different functional/process areas with an enterprise that should be involved in multidisciplinary risk assessment activities. There’s also a section on risk scenario development, which helps broaden the thought process around risk.

“We all have our own perspectives and paradigms,” Willy comments. “That’s the power of getting this multidisciplinary team together, where everybody is contributing, everybody says what he or she sees as important as a risk, so that at the end it comes down to a solid risk assessment.”

What’s next?

To hear the complete episode with Willy Fabritius on software supply chain risk management, click here.

What other tools are available to help assess supply chain risk? One option might be attack surface management: How Attack Surface Management Can Help Reduce Supply Chain Security Risks


Interested in a checklist to see how ready you are for an ISO 27001 certification audit?

It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!