Cyber Essentials for Supply Chain Security Requirements

What Is Supply Chain Cyber Security?

Supply chain cyber security refers to the risk that attackers compromise a trusted supplier to gain indirect access to a target organisation. Rather than attacking a well-defended organisation directly, attackers target smaller, less well-defended suppliers — managed IT providers, software vendors, cloud service providers, or professional services firms — that have trusted access to their customers' systems.

The SolarWinds attack in 2020, where malware was introduced into a software update distributed to thousands of organisations worldwide, is the most high-profile example. But supply chain attacks are not limited to software — a managed IT provider with remote access to customer networks is a valuable target for attackers seeking to breach multiple organisations through a single compromise.

The Cascade of Customer Requirements

Large organisations — particularly those in regulated sectors or with government contracts — are increasingly aware of their supply chain risk. In response, they require their suppliers to demonstrate adequate cybersecurity. The most common mechanism for this in the UK is Cyber Essentials certification — a Cyber Essentials certificate provides an independent, verifiable confirmation that baseline security controls are in place.

48% of Cyber Essentials-certified organisations report that their own suppliers are now more frequently required to hold certification. This cascade effect means that what started as a government supply chain requirement is now spreading to private sector procurement. For UK SMEs bidding for contracts with larger organisations or in regulated sectors, holding a current Cyber Essentials certificate is increasingly a prerequisite.

Managing Your Own Supplier Risk

Beyond demonstrating your own security to customers, businesses must also manage the security risk posed by their own technology suppliers. A managed IT provider with remote access to your network, a cloud HR system with employee personal data, a SaaS accounting platform with financial records — each represents a potential supply chain risk if the supplier's security is inadequate.

The NCSC recommends organisations assess key suppliers' security posture, including whether they hold relevant certifications, how they manage access to customer systems, what their incident response procedures are, and whether they have experienced relevant breaches in the past. For critical suppliers — those with privileged access to your systems or sensitive data — a more detailed assessment is warranted.

What Cyber Essentials Demonstrates

Cyber Essentials certification confirms that five baseline technical controls are in place: boundary firewall and router configuration, secure device configuration, access control, malware protection, and patch management. These controls address the attack vectors used in the vast majority of common attacks and are sufficient to satisfy most customer supply chain security requirements for SME-sized businesses.

Cyber Essentials Plus provides a higher level of assurance — the same five controls are independently verified through technical testing rather than self-assessment. For suppliers with privileged access to customer systems, CE Plus may be required by larger customers or government supply chains.

Key Considerations for UK SMEs

• Check whether existing customers or prospective customers require Cyber Essentials certification — many procurement processes now include this as a pass/fail criterion
• Maintain annual renewal — an expired Cyber Essentials certificate provides no assurance value and may disqualify you from contracts
• Assess your own key suppliers — particularly those with remote access to your systems or access to significant volumes of sensitive data
• Ensure your managed IT provider (including AMVIA) holds current Cyber Essentials certification — they have privileged access to your environment
• Document your supplier security assessments — this evidences your own supply chain risk management to customers who ask

How AMVIA Can Help

AMVIA holds current Cyber Essentials certification. AMVIA helps UK businesses achieve and maintain Cyber Essentials and Cyber Essentials Plus certification to satisfy supply chain requirements — managing the full certification process from gap assessment through to renewal. For businesses that also need to assess their own supplier security posture, AMVIA's security audit service can extend to review key supplier access controls and security documentation. Contact AMVIA on 0333 733 8050 to discuss your supply chain security requirements.