Cyber Supply Chain Guidance

All organisations should consider cyber supply chain risk management. If a supplier, manufacturer, distributor or retailer (i.e. businesses that constitute a cyber supply chain) are involved in products or services used by an organisation, there will be a cyber supply chain risk originating from those businesses. Likewise, an organisation will transfer any cyber supply chain risk they hold to their customers.

This guidance has been developed to assist organisations in identifying risks associated with their use of suppliers, manufacturers, distributors and retailers (i.e. businesses that constitute their cyber supply chain).

The compromise of several Managed Service Providers’ (MSPs) was reported in 2017. In response, the Australian Cyber Security Centre (ACSC) provided organisations with the information they needed to protect themselves and others from this threat.

This document provides simple yet practical questions to ask managed service providers regarding the cyber security of their systems and the services they provide.