Key upfront requirements, arrangements, or terms and conditions requested from the supplier should contractually require suppliers to produce sufficient plans: for the purposes of cyber security to reduce the likelihood of a cyber incident, and for cyber resilience to reduce the impact or disruption caused as a result of a cyber incident.
Suppliers can be contractually obligated to provide these within a reasonable time-frame at the beginning of the contract. These will likely depend on the risk profile of the contract as well as your capacity to review them.
Example cyber security requirements
Cyber security requirements that could be embedded within a contract include but are not limited to the following:
A management plan is another requirement that is suggested to be embedded within a contract. The guide on contract management provides more information specifically related to incident management.
Example cyber resilience requirements
Cyber resilience requirements that could be embedded within a contract include but are not limited to the following:
Very importantly, you may also want to take a flow down approach and require the supplier to apply the same controls or requirements to their subcontractors. This is an important point at which to bring in experts from your IT and ICT teams as not all controls will be appropriate to flow down to all subcontractors.