Supply Chain

Improving the cyber resilience of your supply chain

Most organisations rely upon suppliers to deliver products, systems, and services.

Supply chains can be large and complex, involving many suppliers doing many different things. Effectively securing the supply chain can be difficult as vulnerabilities can be inherent, or can be introduced and exploited at any point in the supply chain. A vulnerable supply chain can cause severe damage and disruption. The reputational and financial costs of dealing with cyber attacks can be significant. 


The NCSC has designed a set of 12 Principles around supply chain security to help you gain and maintain the necessary level of control over your supply chain.

Implementing these recommendations will take time, but the investment will be worthwhile. It will improve your overall resilience, reduce the number of business disruptions you suffer and the damage they cause.

It will also help you demonstrate compliance with GDPR, the new Data Protection Act. Ultimately, these measures may help you win new contracts because of the trust you have gained in helping to secure your supply chain.

Go to the guidance
Section Supply Chains for the Public Sector

Supply Chains for the Public Sector

The cyber resilience of suppliers is increasingly important to the Scottish public sector. The number of cyber attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and wider public services.

Scottish Public Sector Supplier Cyber Security Guidance Note

The Supplier Cyber Security Guidance Note sets out best practice from the National Cyber Security Centre.

The key aims of the Supplier Cyber Security Guidance Note are:

  • To support Scottish public sector organisations to put in place consistent, proportionate, risk-based policies that effectively reduce the risk of Scottish public services being damaged or disrupted by cyber threats as a result of supplier cyber security issues;
  • To minimise any necessary additional burdens on Scottish public sector organisations (as purchasers) and private and third sector organisations (as suppliers), whilst ensuring the presence of proportionate cyber security controls in the public sector supply chain. This includes a requirement to avoid discouraging SMEs, in particular, from bidding for public sector contracts. This latter aim will be supported by ensuring greater uniformity of the requirements placed on suppliers (thus minimising the number of conflicting demands they face), and by providing a decision-making support tool to aid consistent, proportionate implementation by public sector organisations; and
  • To ensure alignment where possible with key requirements in respect of supply chain cyber security that have implications for the Scottish public sector and its supply chains. These include the EU Security of Network and Information Systems (NIS) Directive as transposed into UK-wide legislation and guidance.
Read the Guidance Note

The Scottish public sector wants to ensure its suppliers have appropriate cyber security in place. That’s because:

  • It has a duty to prevent our public services from being disrupted by cyber attacks on suppliers; and
  • It wants to support our suppliers to improve their cyber security, because it’s good for the sustainability and resilience of our digital economy and society.
Section Guidance and decision-making support tools

Guidance and decision-making support tools

The Cyber Security Procurement Support Tool (CSPST) is a decision making support tool which all suppliers bidding for public sector contracts will be asked to use. Guidance on how to use the CSPST tool are available for public sector buyers and suppliers.

CSPST allows public sector buyers to risk-assess their contracts whilst developing their procurement strategy based on the sensitivity and handling of information and/or the access supplier may be granted to public sector systems and networks.

CSPST produces a risk profile and associated question set which potential suppliers can be invited to address as part of their tender. Suppliers can log onto CSPST and answer the questions and, in an effort to reduce burdens, will be able to reuse previous answers where applicable. Suppliers can also test their current cyber security and resilience through answering the questions and receiving a detailed report outlining any potential deficiencies with advice on how to further improve their cyber security.

Procurement Support Tool

To help improve supply chain cyber security, the Scottish public sector is being encouraged to adopt a more consistent approach to managing cyber risk in the supply chain.

Back to top of the page