NCSC: Supply chain security guidance

Proposing a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.


The guidance will provide organisations with an improved awareness of supply chain security, as well as helping to raise the baseline level of competence in this regard, through the continued adoption of good practice. Whilst beneficial, this guidance has not been written for organisations with national security (high assurance), requirements.

Most organisations rely upon suppliers to deliver products, systems, and services. You probably have a number of suppliers yourself, it’s how we do business.

But, supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption.

Despite these risks, many companies lose sight of their supply chains. In fact, according to the 2016 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers.

A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing. So, the need to act is clear.

12 Principles

These principles have been designed to help you gain and maintain the necessary level of control over your supply chain

A note on implementation

Implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause.

It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts, because of the trust you have sought in the security of your supply chain.

Further reading

The following sources provide information on managing supply chain security threats and risks:

DCPP (MoD) – DCPP is a joint Ministry of Defence (MOD) / industry initiative to improve the protection of the defence supply chain from the cyber threat.

Government supplier framework – This framework helps the government to manage supplier risk.

IS0 28000 – Specification for security management systems for the supply chain.

View the principles of supply chain security here.