September 30, 2022

Last Updated on January 15, 2024

Supply chain risk management (SCRM) can prove to be a slippery slope—especially when it’s a software supply chain you’re talking about. Why should you take pains to conduct a proper risk assessment across key supply chains? And how do supply chain risks impact IT and business continuity?

From dodging international compliance issues to balancing generic and specific risk assessments, any guidance is welcome in the world of supply chain risk management.

Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS, provides insights into supply chain risk management—including definitions, best practices, and where to turn for guidance.

Slaying the dragon of supply chain risk management

Simply put, SCRM is a multi-headed beast. It’s not simple to tame all at once. But, by breaking down each level of definition and function, anyone brave enough to take up the sword against supply chain risk can prevail.

According to Willy, there are several layers to SCRM. At the foundation is clear and well-communicated organization policies that are properly instilled to create genuine user awareness and help prevent “shadow IT” and other supply chain risks that happen outside official corporate awareness.

“It starts with user awareness and clear policies, so everybody within the organization clearly understands their responsibilities, and the risk associated with onboarding, utilizing, and choosing software providers.” — Willy Fabritius

Risk management takes a village. While having a singular expert hero can be beneficial in mastering ideal supply chain risk management, in most organizations a number of people must do their part.

Willy notes that managing the supply chain risk regarding official business software and vendors is a vital part of supply chain risk management. Before partnering, organizations can run security checks to ensure each tool, service, and product is safe. They can also continuously monitor each throughout the relationship.

But threats lurk in the individual SaaS tools that employees choose to utilize on their devices. Whether the programs are free or require a small monthly fee, products that aren’t sponsored by organizations can present unknown security risk.

With so many external and internal factors, SCRM can be an intimidating foe. Fortunately, there is a path to optimized security, and Willy Fabritius is here to lead the way.

The hero’s journey to effective supply chain risk management

ISO 27001 may seem like a promising map to success regarding SCRM. While many ISO certifications can offer invaluable guidance in optimizing security and risk management, Willy emphasizes the importance of the first steps an organization must take along the road to accreditation.

“Before an organization even starts embracing the journey of an ISO certification, they need to ask this very simple, yet profound, question: Who are we and what are we doing?” — Willy Fabritius

SCRM looks different for every organization. Diverse missions, purposes, and roles result in various risk factors, all weighted differently depending on the business. Therefore, defining exactly what your business is and what it does—that is, its context—is a prerequisite to effective risk management.

This process illuminates the more significant risks you face, therefore improving basic risk awareness. ISO 27001 can be an extremely useful tool, but it may not fully encompass supply chain risk management requirements for every business.

However, clearly defining your organization and purpose is necessary for all SCRM contexts, regardless of the controls selected to achieve ISO 27001 compliance.

Addressing cybersecurity supply chain risk

As exemplified by the recent update to NIST 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” there has been a shifting focus to the software security side of supply chain risk management. NIST 800-161 provides guidance regarding cybersecurity supply chain risk management (CSCRM).

Willy Fabritius strongly supports the document’s focus, as it highlights the importance of recognizing the extensive facets of risk intersection. Organizations must protect their data through their own cybersecurity measures. However, equally important, they must assess the cybersecurity of each part of the supply chain—especially the software they license and build.

Cybersecurity supply chain risk management is a really important concept that we need to instill into our organizations.” — Willy Fabritius

Protecting internal data is only as effective as the biggest risk factor of the organization. Even with the internal best security practices and training, an organization is not protected if it shares data with suppliers that are unsafe.

But while achieving optimized CSCRM will require different processes and focuses depending upon the organizational context, each business can begin the movement to adequate security with a few simple measures.

Organizations must recognize the significance of cyber security threats in-house and from the supply chain. For example, employees often unknowingly invite security risks with personal practices, software, and downloads on network devices. Likewise, the risks being taken by suppliers and the supplier’s employees also affect an organization’s safety.

Creating a solid understanding of this risk intersection allows businesses to delve into the multiple suppliers behind most software, reveal hidden vulnerabilities, and then respond to the complicated nature of cybersecurity supply chain risk management.

What’s next?

To listen to the podcast episode on Supply Chain Risk Management, click here.

ISO 27701 Certification Guide

Discover what you need to achieve ISO 27701 certification! You are 6 simple steps away from "provable" compliance with every Privacy regulation.