Pillars For Vetting Vendors for a Sturdier Supply Chain

Additional resources

Vetting Vendors to Combat the Supply Chain War

Supply chain attacks are increasing on a global scale and professionals are sounding the alarm.

The 2025 Software Supply Chain Security Report: Threats Growing and Evolving

The threat landscape facing software today is changing fast! RL’s new research report explores those changes and shares key learnings and action items.

Leadership in Risk: The Strategic Advantage of Adding AAIR to Your Credentials

Learn how AAIR complements other certifications by signaling readiness to engage in strategic risk leadership, including advising executives and boards on complex tradeoffs arising from AI implementations.

ISACA IT Risk Resources

ISACA’s expert guidance gives professionals and enterprises the tools, techniques and understanding to manage IT Risk.

Since my 2024 article on untangling the supply chain web, organizations’ concern about this topic has only increased. According to the World Economic Forum Cybersecurity Outlook for 2025 Report, 54% of large organizations identified supply chain challenges as the greatest obstacle to achieving cyber resilience. The increasing complexity of supply chains and the lack of visibility into suppliers’ security practices is highlighted as the number one risk for organizations.

In my more recent ISACA Journal article on combatting the supply chain war with vendor vetting, three notable attacks on different manufacturing companies demonstrate the consequences of failing to conduct diligence on supply chains:

• July 2025, phishing campaign against Taiwanese semiconductor companies
• 31 August 2025, cyber-attack that halted operations at Jaguar Land Rover (JLR)
• 29 September 2025, Asahi Beer suffered an attack that disrupted multiple industries in Japan

The financial effects of these attacks are still being felt and the longer-term consequences will be analyzed for years to come. JLR’s revenue was reduced by 39% in the last three months of 2025. In January 2026, Asahi Group holdings reported an 11% fall in sales for that month from the previous year, which was put down to the lingering impact of the cyber attack. Companies can combat the supply chain war by applying four pillars to guide their vendor verification processes.

1. Certifications

Onboarding vendors with certifications removes the burden of completing and reviewing questionnaires from both purchasers and vendors. Suppliers who obtain certifications can save business time that would otherwise be spent completing questionnaires prior to onboarding. Certifications also reduce the need to conduct auditing on a vendor’s security practices.

Examples include:

• Cyber Essentials (followed by Cyber Essentials Plus).
• SOC2.
• ISO/IEC 27001:2022.
• Defense Cyber Certification (DCC).

2. Scopes

If a vendor has not included the whole organization on the scope of its certification, then buyers must ask why this is the case. It should be noted that different certifications have different scope requirements  A Cyber Essentials scope has allowances for exclusions. Systems such as Kali Linux, which is used for penetration testing, are not included in a Cyber Essentials certification scope. Guest networks are also excluded from the scope and must be separated via a firewall from the main network. IT equipment that does not connect to the internet is also not included in the scope of the certification, so there is no requirement for an organization to declare it.

The scope of an ISMS for ISO 27001:2022 is outlined in Clause 4.3. An ISO 27001:2022 scopes include: processes, functions, services, locations and activities. The following factors can affect the determination of the scope:

• External and internal issues
• Stakeholders
• Business activities
• Support functions
• Outsourced processes

3. Business Continuity Planning

When vetting vendors, they should demonstrate that they have business continuity plans as well as an incident response plan. Control 5.30 of ISO/IEC 27001:2022 requires companies to demonstrate their ICT readiness for business continuity. A service-level agreement between vendors should make planning for both business continuity and incident response planning a requirement. An incident response plan is indicative of how an organization will respond to an incident but a business continuity plan will show how a business will keep the show on the road during an incident. Business continuity plans must be evaluated regularly. Components of a business continuity plan can include:

• Direction for continuity of operations
• Key assets and contingency plans for those assets
• Provisions for alternative facilities
• Expected capacity that operations can run at during an incident
• Contact lists and call trees
• Recovery timelines
• Date of the last review of the business continuity plan
• Communication plan

4. Supply Chain Collaboration

Wars are won through the coordinated efforts of multiple nations. This same principle of coordinated action must also be applied to the supply chain. Organizations must work with suppliers to improve and counter threats by collaboratively reviewing business continuity plans.

It is important to build relationships with suppliers. Organizations should exchange information on the emerging threat landscape and managing risk similar to what allies do during global conflicts. Smaller enterprises could utilize updates from information sharing and learning communities such as ISACA^® and the International Association of Privacy Professionals (IAPP).

Subject matter experts (SMEs) should also look at some outsourced support. What that need looks like varies between organizations, but a threat intelligence platform, an Open-Source Intelligence (OSINT) investigation partner or cyber consultancy enterprise could fulfil that requirement. Organizations could also send employees to visit one of the growing numbers of information security conferences for information sharing.

Avoid the supply chain domino effect

Protecting the supply chain by vetting vendors assists organizations in taking proactive steps to prevent the domino effect on a supply chain, caused by a cyber-attack on a single company. Those effects include:

• Lost business time
• Decreased revenue
• Job losses
• Business bankruptcy
• Reduced economic productivity
• Market volatility
• Price inflation
• Unavailability of consumer goods
• Invasion of consumer privacy

Procurement departments should question whether a new supplier has any certifications and provide the evidence of certification.

Victories in war occur when allies work together, so enterprises should start to have more open conversations with their suppliers and provide information of what is expected in terms of security. Businesses across the manufacturing industry should engage in conversations about how they can collectively and continuously improve. Not only will this reduce the risk of supply chain attacks, but it will also enhance a supplier’s reputation and make it a more competitive business, which is in demand from buyers.

About the author: Hannah Hunt, CISM, CRISC, AIGP, ISO/IEC 27001 LA, ISO/IEC 27001 LI, is head of threat intelligence at Dark Armour Ltd. and has 15 years of experience in defense, intelligence, physical security, cybersecurity, and governance, risk, and compliance (GRC). She specializes in providing threat intelligence services to enterprises worldwide, with a focus on digital profiling and supply chain management.