Cyber Essentials and Cyber Assurance for the UK supply chain

A lot of organisations struggle with structuring a robust cyber security approach to their supply chain and a failure to act could lead to a serious breach for all those involved.

ADAS Ltd is a cybersecurity consultancy supporting local business across North Wales in bridging this gap. In this blog, Savva Pistolas - the Technical Director at ADAS Ltd, addresses risks to supply chains, collaboration on security across business networks, and how to identify viable trusted partners. Savva was previously a supervisor within the Cyber PATH team at the National Cyber Resilience Centre Group - supporting on the development and delivery of our services across the England and Wales business landscape. 

The supply chain security challenge: Why traditional approaches fall short

The traditional procurement process to involve other businesses or teams in your organisational endeavours has always been centred around cost, quality and delivery of shared objectives. In recent years security questionnaires have become commonplace when prospecting with larger organisations.

Recipients are asked to answer a set of questions on the posture of their organisation, and whether they have any supporting evidence or certification of this. For SMEs, this can be a difficult piece of work that ends up serving as a gap analysis of ‘things we don’t seem to have in place’. For SMEs looking to use them themselves as a way of assessing their own supply chain, it can be quite an overbearing piece of infrastructure to set up and keep track of.

Imagine trying to assess the security posture of a potential supplier when one organisation considers "we have antivirus software" to be sufficient endpoint protection, whilst another implements enterprise-grade endpoint detection and response solutions with 24/7 monitoring. Both might tick the same box on a security questionnaire, but the actual level of protection they provide is worlds apart. There’s also the need to assess the validation of the answers – and identify any errors on the submission. So, it can be quite time intensive when you’re really trying to just collaborate with a potential new business partner.

The challenge is compounded by the fact that different organisations have vastly different risk appetites. A startup might be comfortable accepting certain security risks in exchange for rapid growth, whilst a well-established enterprise might have much more conservative attitudes to risk. When these organisations need to work together, how do you create a common understanding of what constitutes acceptable security?

Cyber Essentials Plus: A universal language for security controls

This is precisely why IASME’s Cyber Essentials Plus (CE+) and Cyber Assurance Framework (ICA) represent a significant opportunity for organisations looking to create supply chains that sit on the same page. Unlike risk-based approaches that allow for subjective interpretation, CE+ and ICA is fundamentally a control-based standard - and this distinction is absolutely crucial.

When an organisation achieves Cyber Essentials Plus or Cyber Assurance Level 2 certification, they're not just saying they've assessed their risks and are comfortable with their current security posture. They're demonstrating that they've implemented specific, measurable controls that have been independently verified through technical testing and interview with a government-recognised certification body. The controls are either there or they’re not. The policies are either there or they’re not. The effort was either exercised, or it wasn’t. A simple way of communicating risk management across organisational boundaries, that’s government backed!

An investment on multiple fronts

Pursuing CE+ or ICA for your own organisation is a good way to bolster and demonstrate your own security efforts but also serves as a great way to develop this universal language of reference for understanding other organisations that have undertaken the same journey.

The best part is that the standard retrofits to your existing suppliers. You can start to ask providers and partners to pursue the standard for themselves. If it’s a journey you want to undertake alongside your supply chain, then there’s absolutely nothing wrong with collaborating with other organisations on policy design, control implementation advice, or recommended providers. Economies of scale are very real here, and you might find that other organisations have the exact same appetite for digital maturity as you do – and are open to collaborate to achieve a shared goal.

Moving forward: CE+ as your competitive advantage

Implementing CE+ as a supply chain security standard isn't just about risk mitigation - it's becoming a competitive advantage as a pre-validated security posture for potential clients. In an increasingly connected business landscape, organisations that can provide ‘instant assurance’ about their security posture and that of their suppliers will be better positioned to win contracts, build partnerships, and maintain customer trust.

For businesses across North Wales and beyond, this represents a significant opportunity. By adopting standardised, verifiable security controls and requiring the same from your suppliers, you're not just protecting your own organisation - you're contributing to a more secure business ecosystem that benefits everyone.

As cyber security professionals, we're committed to supporting local businesses through this transition and have a wealth of inhouse experience. Whether you're looking to achieve CE+ certification yourself, implement CE+ requirements across your supply chain, or simply better understand how these standards can benefit your organisation, you should reach out and say ‘hello’. We’d love to talk to you.

The question isn't whether supply chain security will become a critical business requirement - it already is. CE+ and ICA Level 2 provides the framework for a proactive approach, with standardised controls that create trust and transparency across organisational boundaries. If you’re silently crying out for a roadmap towards a better supply chain, this is it.

If you would like to speak to someone about Cyber Essentials and Cyber Essentials Plus and how you and your business can become certified, then contact the WCRC and speak to a member of the team who will happily talk you through the process.