As your organisation grows you become a link in a supply chain; a network consisting of an organisation and its suppliers to produce and distribute a specific product or service to the customer.

Being a desirable, trustworthy organisation or supplier includes observing good practice (and in many cases, compliance) when it comes to cyber and information security. If good practice is not followed, it may not only place your own organisation at risk but also others within the ‘supply chain’.


If you use third-party managed IT services, check your contracts and service level agreements. Ensure that whoever handles your systems and data has security controls in place.

One way to demonstrate that you have the security controls in place is to undertake a basic assessment and achieve a Cyber Essentials certificate. You can ask your suppliers to do the same.

If you are completing the Data Security and Protection Toolkit, there is a requirement to list the IT suppliers you use in your organisation. Good suppliers should let you know your responsibilities and offer options to reduce your risk of cyber threats with updated advice each year.

We have a template you can use to list your suppliers.