How to collaborate with suppliers to maintain and improve arrangements and refine contractual requirements

​​​​​​​The one thing that can be guaranteed with cyber resilience in your supply chain is that things will change over time. Your own cyber maturity will change as your organisation develops its skill sets and services. The threat landscape will change, and so will the suppliers you work with.

Consequently, change and how you manage it is a core pillar of embedding cyber resilience effectively. It is important to build trust with your suppliers through open and honest dialogue and slowly adjust your cyber security requirements from suppliers over time. It is recommended that you have a tailored and mutually agreed supplier security management plan with each of your suppliers. This should set out how you intend to manage security over the lifecycle of the service and the agreed mitigations for issues. Making this a cornerstone of contract management will help you manage change and adjust controls as they are required.

The ‘continuous improvement clause’ in contracts

‘Continuous improvement’ is a common clause in contracts - but it does not always carry as much weight as it should. If used correctly, effective continuous improvement provisions can ensure that your suppliers perform, improve and innovate across the contract lifecycle. Here are some tips for continuously improving your cyber approach:

Icons relating to ensuring the effectiveness of the continuous improvement clause in contracts

Closing a contract securely

Following the completion of a contract with a supplier it is important to take the necessary steps to ensure that the contractual obligations are closed securely. It is easy to think that the risk is removed once a contract or service is closed, but this can in fact be the point of heightened cyber risk.  Regardless of why the contract closes, even if under normal circumstances, it must be closed cyber securely.

  • Ensure that all sensitive data your supplier had access to is deleted at the end of the project.
  • Ensure that you have a robust joiners, movers and leavers process in place to remove access to supplier resources from your network and assets when those resources leave at the end of a project.
  • Ensure secure access to your network or other integrations, have been removed and tested once the service closes.
  • Ensure your supplier has returned any IT assets that you issued them during the service.
  • Ensure any passwords shared with the supplier are deleted or updated.

It is common practice to have these types of obligations as contractual terms so that services can only be accepted when the appropriate end of service provisions have been completed. 

To learn about any of the other phases in the procurement lifecycle click on the following links for: strategy, planning, tender, or contract. Or, if you are interested in reviewing the supplemental materials and example documents they are available in the appendix.

While these resources are updated frequently, the threat landscape is constantly evolving with new risks and vulnerabilities. It is very important to always follow the most up-to-date guidance as given by the National Cyber Security Centre (NCSC) and other related government bodies.
 

Highlighted pages

Embedding cyber resilience in local government supply chains

Management

This section offers a range of activities that your council may wish to carry out during the management phase of the procurement lifecycle.