Supply Chain Risk Assessment: how does it work?
Virtually every organization depends on suppliers, service providers, and third-party software. This dependency introduces risks: a vulnerability at a supplier can directly impact your business continuity and data security. Our Supply Chain Risk Assessment maps these risks and provides concrete recommendations to strengthen your supplier chain.
What is a Supply Chain Risk Assessment?
A Supply Chain Risk Assessment is a structured evaluation of the cybersecurity risks that arise through your supplier chain. The assessment analyzes three core aspects: your supplier landscape (who are your suppliers and how critical are they), your current controls (which safeguards do you already have in place), and your dependencies and risk scenarios (how severely does an incident impact you).
The goal is not to individually audit every supplier, but to provide an overarching view of the maturity of your supply chain risk management. This allows you to identify the biggest gaps and set priorities effectively.
Supply chain attacks are among the most impactful cyber threats of our time. In the SolarWinds attack, more than 18,000 organizations were affected through a single compromised software update. The Kaseya VSA attack impacted hundreds of MSP clients simultaneously. And the Log4j vulnerability demonstrated how a single open-source component can disrupt the entire software supply chain. These incidents underscore why supply chain security is no longer optional.
Methodology and frameworks
Our Supply Chain Risk Assessment is based on three leading standards and guidelines:
- NIST SP 800-161 (Cybersecurity Supply Chain Risk Management Practices) -- the most comprehensive framework for supply chain risk management. NIST SP 800-161 provides a systematic approach to identifying, assessing, and mitigating risks in the ICT supply chain. The framework covers the full lifecycle: from supplier selection to exit strategy.
- NIS2 Article 21(2)(d) -- the European NIS2 directive explicitly requires essential and important entities to manage the security of their supply chain. This includes risk assessment of direct suppliers, security requirements in contracts, and incident notification agreements.
- ENISA Supply Chain Best Practices -- the EU cybersecurity agency ENISA publishes guidelines for assessing and improving supply chain security, with special attention to the European context and sector-specific threats.
The assessment evaluates the full supply chain security lifecycle: from mapping suppliers, through implementing controls, to planning responses to supply chain incidents. By combining these three frameworks, we provide an assessment that is both internationally recognized and NIS2-compliant.
The three steps of the assessment
The assessment consists of three steps that together provide a complete picture of your supply chain risk profile. Each step contains multiple questions that are automatically weighted and scored.
In the first step, we map your supplier landscape. You indicate how many critical suppliers you have (1-5, 6-20, 21-50, or 50+) and which types of suppliers are in your chain: cloud and SaaS providers, IT service providers (MSP/MSSP), software vendors, hardware suppliers, data processors, and physical suppliers.
The risk of your supply chain begins with knowing who is in it. An organization with five suppliers has a fundamentally different risk profile than one with fifty. Likewise, the presence of MSPs and cloud providers -- which often have privileged access to your systems -- significantly increases risk compared to purely physical suppliers.
In the second step, we inventory which supply chain security measures you already have in place. We ask about eight core controls: supplier risk assessment during onboarding, periodic reassessment, contractual security requirements (SLA), right-to-audit clauses, supplier incident notification, SBOM requirements (Software Bill of Materials), monitoring of supplier security posture, and an exit strategy for each critical supplier. We also ask whether you require security certifications from suppliers -- always, only for critical suppliers, or not at all.
Without structural controls, supply chain risk is invisible. You can only manage supplier risks if you know which controls are in place and where the gaps are. Many organizations have contractual agreements but lack continuous monitoring or an exit strategy -- precisely the areas that NIS2 focuses additional attention on.
In the third step, we assess how dependent your organization is on its key suppliers and which risk scenarios are relevant. You indicate your level of dependency on your top-3 suppliers (low, moderate, high, or critical) and which scenarios you consider: supplier hacked, supplier bankruptcy, malicious software update, compliance violation, or geopolitical risk.
Concentration risk determines how severely a supply chain incident impacts you. An organization that is critically dependent on three suppliers without alternatives faces existential risk in the event of failure. By explicitly naming the impact scenarios, it becomes clear which risks deserve the most attention in your mitigation strategy.
What do you get as a result?
After completing the three steps, the assessment automatically calculates your supply chain risk profile. The results consist of four components:
- Supply chain risk score -- an overall score indicating how well your supply chain risk management is set up. The score is visually displayed with a risk indication: low, moderate, high, or critical.
- Category scores -- individual scores per assessed domain (supplier landscape, controls, dependencies), so you can see exactly where the strongest and weakest points are.
- Risk map -- a visual representation of your supply chain risks, allowing you to see at a glance which areas need the most attention.
- Recommendations -- prioritized improvement points based on your specific answers. The recommendations are concrete and immediately actionable.
The free report
- Complete supply chain risk score with color indication
- Overview of strengths in your current approach
- Identification of the most important weaknesses and gaps
- Prioritized improvement advice to get started with immediately
After completing the assessment, you can receive the report directly by email as a PDF. The free report provides a clear overview of your current supply chain security posture and the most important areas for improvement. It is suitable as a starting point for internal discussions about supplier risk management.
Premium Supply Chain Assessment
- Supplier risk classification: critical, high, medium, and low -- per supplier category
- Gap analysis against NIST SP 800-161 and NIS2 Article 21(2)(d)
- Security requirements template per supplier category, ready to use in contracts
- SBOM requirements and software supply chain analysis
- Integration and dependency map of your supplier landscape
- Complete supplier policy as a professional PDF report
The premium report goes considerably deeper than the free version. Where the free report offers a risk score and improvement points, the premium report delivers a complete supply chain risk management program. The supplier risk classification helps you apply the right controls to the right suppliers. The gap analysis shows exactly where you deviate from NIST SP 800-161 and what NIS2 expects of you. And the security requirements templates can be used directly in contract negotiations with suppliers.
The SBOM analysis is particularly valuable for organizations that procure or develop software. An SBOM makes transparent which components and libraries are contained in software, so that when a new vulnerability arises (such as Log4j), you can immediately determine whether you are affected. The premium report includes concrete SBOM requirements that you can set for software vendors.
Free vs. premium comparison
| Component | Free | Premium |
|---|---|---|
| Supply chain risk score | ✓ | ✓ |
| Strengths and weaknesses | ✓ | ✓ |
| Priority advice | ✓ | ✓ |
| Supplier risk classification per category | ✕ | ✓ |
| Gap analysis NIST SP 800-161 & NIS2 | ✕ | ✓ |
| Security requirements template per supplier category | ✕ | ✓ |
| SBOM requirements and software supply chain analysis | ✕ | ✓ |
| Integration and dependency map | ✕ | ✓ |
| Complete supplier policy PDF | ✕ | ✓ |
Frequently Asked Questions
What is supply chain risk?
Supply chain risk encompasses all cybersecurity threats that originate from suppliers, service providers, and third-party software. A vulnerability or incident at a supplier can directly lead to a data breach, operational disruption, or compliance violation at your organization. The risk is often greater than organizations estimate, because suppliers frequently have privileged access to systems and data.
Why is supply chain security important?
More than 60% of all cyber incidents now have a supply chain component. The SolarWinds attack (2020), the Kaseya VSA attack (2021), and the Log4j vulnerability (2021) demonstrated that a single compromised supplier can affect thousands of organizations simultaneously. NIS2 recognizes this risk and therefore explicitly requires organizations to implement supply chain risk management. Without insight into your supplier risks, your own security is incomplete, no matter how strong it is internally.
What are the biggest supply chain threats?
The five biggest supply chain threats are: (1) malicious software updates where an attacker injects malicious code into a legitimate update, (2) compromised suppliers that serve as a springboard into your network, (3) data processors that leak personal data resulting in GDPR fines, (4) suppliers that go bankrupt causing critical services to disappear, and (5) geopolitical risks such as sanctions or data localization requirements that threaten service continuity.
How do you assess suppliers on security?
A thorough supplier assessment combines multiple methods: security questionnaires, certification verification (ISO 27001, SOC 2, NEN 7510), contractual security requirements, right-to-audit clauses, and continuous monitoring of security posture. Critical suppliers deserve a more in-depth assessment than non-critical suppliers. The frequency of reassessment depends on the risk classification: at least annually for critical suppliers.
What is an SBOM?
An SBOM (Software Bill of Materials) is a structured inventory of all components, libraries, and dependencies in a software product. It is comparable to an ingredient list on food packaging. When a new vulnerability emerges -- such as the Log4j vulnerability in December 2021 -- an SBOM enables you to immediately determine whether your software is affected. An increasing number of organizations and governments require SBOMs from their software vendors as part of supply chain security.
What does NIS2 require for supply chain?
NIS2 Article 21(2)(d) requires essential and important entities to manage the security of their supply chain. In concrete terms, this means: risk assessment of direct suppliers and service providers, security requirements in contracts, agreements on incident notification by suppliers, periodic reassessment of supplier risks, and attention to the quality of cybersecurity products and services you procure. Non-compliance can result in fines of up to 10 million euros or 2% of global revenue.
How often should you reassess suppliers?
The frequency depends on the risk classification of the supplier. Critical suppliers -- suppliers with direct access to your systems or data -- deserve at least an annual reassessment. On top of that, an ad-hoc assessment is needed after significant changes (new contract, merger, incident). Non-critical suppliers can be reassessed every two to three years. Continuously monitoring certifications and publicly known incidents is recommended for all supplier classes.
What do you do when a supplier gets hacked?
Step 1: activate your incident response plan and isolate connections with the affected supplier where possible. Step 2: assess the impact -- which data and systems are potentially affected? Step 3: inform relevant stakeholders, your privacy officer, and if necessary the regulator (data protection authority, sector-specific regulator). Step 4: document all findings and actions. After the incident, conduct a root cause analysis, revise the supplier risk classification, and adjust controls where needed.