Skip to content

Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A


A. Information and Communication Technologies (ICT) Security

A.1 Introduction

An organization will be better able to achieve its objectives by understanding and incorporating the convergence of risk management (including security, crisis, continuity, and recovery management) with information technology systems in all of the elements of its SCRM. The benefits information and communications technologies provided to supply chain management can be significant (e.g., in implementation, operability, replacement, and overall cost efficiency); however, this creates additional risks as well as associated threats and vulnerabilities to the individual and collective systems.

The architecture of an organization’s information and communication system plays a critical role in its supply chain and the management of supply chain risk. An information system is a set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. This definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace). Information systems also include specialized systems such as industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

A growing threat to the supply chain is the compromise of critical information (documents, voice, and data). Another threat to the supply chain involves cyber threats to the supply chain’s information and communication technologies. Therefore, ICT risk management is an integral part of a holistic SCRM strategy.

The need to protect information cannot be understated, nor considered separate from protection of tangible assets. Frequently it is much harder to recover from the loss of intangible assets than the loss of tangible assets. Understanding of the need to protect information in all its forms is critical to comprehensive SCRM. ICT systems provide opportunities for great efficiency, but they are vulnerable to various forms of loss and attack. The integration of ICT into all supply chain activities is related to the provision of goods and services from point of origin of raw materials to point of consumption. Therefore, consideration of ICT risks should be included in all the risk assessments of activities and functions in a supply chain.

A.2 Implementing ICT SCRM

SCRM is a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, can help manage the risk of utilizing ICT products and services. Consideration of ICT should be included in all aspects of the risk management process described in the ISO 31000 and as discussed above. As with any other risk, ICT related risks needs to be considered with an understanding of the objectives of the organization and its internal and external context.

When establishing the context of the organization and its supply chain, organizations should include an understanding of ICT supply chain risks in their supply chain mapping exercises. This can be accomplished by understanding:

  • Cost and scheduling constraints;
  • Integration of information security requirements into the acquisition language;
  • Use of applicable baseline security controls as a source for security requirements;
  • Robustness of software quality control processes; and
  • Availability of multiple delivery routes for priority system elements.

When evaluating ICT risk the organization should be considered risk from three perspectives:

  • Uncertainty related to the organization achieving its overall objectives;
  • Business processes supporting the mission of the organization; and
  • The tactical level of ICT implementation.

The risk assessment should consider all three of these perspectives to support risk treatment decisions for SCRM. ICT risk needs to be considered in both the existing risk related to inherent in the supply chain, as well as in the design of the ICT for the supply chain.

During the risk identification phase of the risk assessment, threat, vulnerability, and criticality analysis should consider:

  • Planning cycles and investment planning;
  • Complexity of systems;
  • Life-cycle of ICT architecture and systems;
  • Criticality/sensitivity of the information and information systems;
  • Age of software systems and updating policies; and
  • Access of supplier data systems to the public internet.

Implementing an ICT SCRM program is not unlike non-ICT risk management initiatives except that ICT is subject to a variety of cyber security threats. An ICT facilitates the passage of supply chain products and services risk management becomes an imperative of the organization.

A.3 Convergence and SCRM Management Practices

Security convergence is a managed process that applies the principles of security risk management to the convergence of individual SCRM physical and information security systems and their integration into an organization’s enterprise security systems and enterprise risk management processes. This creates a single managed integrated process aligned to meet the organization’s overall security requirements which is integral to the success of SCRM and the overall risk management program. (For additional information, see ANSI/ASIS-PAP.1, Security Management Standard: Physical Asset Protection.)

SCRM should take advantages of all business practices which have developed during the years for physical and cyber security. The experiences and the advantages which have been developed through the growth of both domains provide significant advantages in SCRM.

Enterprise Security Risk Management (ESRM) is recognized as a progressive security management practice. Combined with security convergence, ESRM can be useful in setting up SCRM processes.

In many organizations, different aspects of security risk management (e.g., supply chain risk management, physical asset protection, human resource security, information security, communications security, and continuity management) are managed as separate activities. The recognition of the interdependence of these business functions and processes has led to the development of a more holistic approach to SCRM management.

SCRM has become highly dependent on information technology networks, often sharing a common infrastructure and technology platform. Security systems should not be integrated into an enterprise’s computer network unless the enterprise can clearly secure the systems both physically and logically from intentional or unintentional interference. ICT systems can become the weak point an attacker can exploit to obtain critical information about an organization or disable security systems. Rather than having asset protection and security solutions managed by different business functions applying subjective risk controls to their threat specific vulnerabilities, convergence provides a common platform where these solutions are assessed and treated from the perspective of a shared risk environment. The benefits that information and communications technologies provide to SCRM can be significant (e.g., in implementation, operability, replacement, and overall cost efficiency); however, this creates additional risks and vulnerabilities to the individual and collective systems. Security convergence applies a comprehensive view to the converged security risks, enabling a broad strategic approach that encompasses all areas of security risk as well as providing for integration with technological advancements.

The ISO/IEC 27001 standard on information security outlines strategies and controls for information security. It provides a management systems approach and therefore can be used seamlessly with this Standard. Likewise, the ANSI/ASIS/BSI BCM.01 business continuity standard can also be used with this Standard to manage the consequences of a disruptive event.  

All of these standards can be applied simultaneously in a single converged management system standard using the ANSI/ASIS SPC.1 organizational resilience standard.

The application of security convergence should establish:

  • A cost effective strategy that protects people, information, and property across functions;

  • Governance that ensures top management commitment and allocates ownership and accountability to the converged security risk management program;

  • A cross-discipline and cross-functional risk assessment and management framework that identifies, analyzes, evaluates, and treats all security risks within a singular managed process;

  • A risk management process that monitors all security risks controls and reports weaknesses, vulnerabilities, attacks, and systems failures collectively;

  • A process for ongoing monitoring of changes in communications and information technology risks;

  • Systems that measure and assess the asset protection and SCRM performance individually, collectively, and as an entirety of the organization’s risk controls;

  • A security risk management framework that functions in synergy with the organization’s collective risk considerations;

  • Strategies that co-ordinate a unified response to disruptive events (attacks), mitigate their consequences, and evaluate and report both the incident and response in order to improve controls to further reduce the likelihood and impacts of an event; and

  • A framework that integrates procedures for the protection of all tangible and intangible assets.

Next: Annex B

Table of Contents


  • Scope
  • Normative References
  • Terms and Definitions
Characteristics of Supply Chain Risk Management
  • General
  • Leadership and Team Composition
  • SCRM Business Case
  • Change Management in SCRM
Risk Principles and Process
  • General
  • Risk Communication and Consultation
  • Establishing the Context
  • Risk Assessment Process
Risk Treatment
  • General
  • Protecting and Securing the Supply Chain
  • Responding to Events
  • Maintaining Resilience of Business Operations Post Incident

Performance Evaluation and Continual Monitoring

  • General
  • Testing and Adjusting the Plan
  • Tracking Change
  • Monitoring and Reviewing the Risk Management Program
Annex A: Information and Communication Technologies (ICT) Security

Annex C: Sample Risks by Category and Type

Annex D: Generic Elements for Supply-Chain Security Agreements

Annex E: Sample Supply-Chain Security Self-Awareness Questionnaire for Suppliers or Other Supply-Chain Partners

Annex F: Elements of Supply-Chain Security Contract Language for External and Third-Party Logistics Service Providers

Annex G: Sample Crisis-Management Program Element Review

Annex H: Sample Site Crisis Plan

Annex I: Supplementary Forms

Annex J: Sample Regulatory Impact Assessment

Annex K: The supply Chain Risk Leadership Council's (SCRLC) Maturity Model

Annex L: Bibliography