SUPPLY CHAINS
business enabler, giving access to contracts with government agencies, and organisations with flowed-down information security requirements. Implementing an ISMS according to the
requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps, which will apply to most organisations, regardless of their industry or level of preparedness: • Obtain management commitment • Define the information security policy • Define the scope of the ISMS • Complete a risk assessment of current information security practices
• Identify and implement risk measures and controls
across the supply chain. In the 2022 revision, cyber-attacks and data breaches are explicitly recognised as emerging threats that must be assessed alongside physical ones.
2. Asset protection - the standard defines assets broadly, including information, data and communication systems. If a supplier has access to an organisation’s data, ISO 28000 requires that controls are in place to manage that risk.
3.
Integrated resilience - follows the ISO High-Level Structure, so is designed to plug directly into ISO 27001 (Information Security). While ISO 28000 handles the process of the supply chain, ISO 27001 handles the technical data protection within it.
ISO 27001 ISO 27001 is the leading international standard for information security management and provides a practical framework for an effective information security management system (ISMS). It simplifies compliance with applicable security regulations and requirements, and helps organisations foster an organisation- wide security culture, helping to reduce overall information security risks. Rather than being seen as a cost to the organisation, ISO/IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches, such as financial damage and reputational harm. It is also a significant
• ISMS audit • Conduct surveillance audits
An ISMS certified according to ISO 27001
covers some of the key requirements of the NIS2 Directive, which must be supplemented by appropriate measures.
SUPPLY CHAIN CHECKS AND BALANCES Ensuring a supply chain is secure goes beyond a check-the-box compliance exercise into a model of continuous assurance, covering the entire lifecycle of a product or service. Before a vendor becomes a supplier, their baseline maturity should be verified. They should be categorised based on their level of access to an organisation’s data or network. For example, a Tier 1 cloud provider
requires deeper scrutiny than a Tier 3 office supplies vendor. As well as asking them for global certifications like ISO/IEC 27001, they should also provide evidence that they follow a secure development lifecycle (SDLC). As part of the Charter of Trust (CoT)
initiative, a practical methodology for managing supplier security has been developed. The key approach here is to translate complex requirements for third parties into uniform, verifiable criteria. The CoT is an international industry
initiative involving Siemens, IBM, Bosch, Danfoss, TÜV SÜD and others. It was launched in 2018 to strengthen cybersecurity, particularly along digital supply chains. The following three interrelated steps have been developed based on the Charter of Trust’s considerations:
1. Basic cybersecurity requirements for the digital supply chain - Fundamental, cross-industry cybersecurity criteria are defined for all suppliers with digital services. These include access protection, encryption of data transmissions, and logging of activities. These requirements apply uniformly to all service providers and form the foundation of the entire security architecture. They aim to eliminate fundamental vulnerabilities from the outset and establish a common security baseline. This will help small and medium-sized organisations in particular to achieve a minimum level of security.
2. Perform a criticality assessment - Suppliers should perform risk assessments that evaluate the type, scope and relevance of their interfaces with the company. For example, in terms of access to IT and OT systems, the processes affected, or geographical origin. Factors such as proximity to productive systems, the confidentiality of processed information and the potential impact in the event of a disruption are also included in such an assessment. Classification into different criticality classes determines the form of the review.
3. Verify compliance - Depending on the criticality level, the defined requirements are verified in different ways, for example, through self- disclosure, documented evidence or technical tests. On-site audits play a key role, particularly for highly critical suppliers. In order to verify the actual implementation of security measures directly in the operational environment, specific weaknesses should be identified and immediate countermeasures initiated if necessary.
In terms of content, this approach is based
on common international standards and can be integrated into existing procurement and compliance processes. When it comes to practical implementation, it is advisable to rely on the specialised expertise of external service providers, depending on the initial situation. To evaluate the implementation of the
requirements on the supplier side, a conformity assessment in accordance with the relevant best practice is sometimes worthwhile. As suitable evidence, standard compliance
can be part of the contractual requirements that companies agree with their suppliers.
TÜV SÜD
www.tuvsud.com/en-gb/cybersecurity FACTORY&HANDLINGSOLUTIONS | MAY 2026 29
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46
