Episode 33 — A.5.21–5.22 — ICT supply chain; Monitoring/review of supplier services

A.5.21 extends supplier governance to the broader ICT supply chain, recognizing that products and services depend on multiple tiers of vendors, firmware, open-source components, and logistics. For exam readiness, emphasize mapping dependencies, verifying provenance, and assessing risks from compromised updates, counterfeit parts, end-of-life components, and opaque subprocessor chains. The control expects organizations to demand security assurances across the chain, including secure development practices, vulnerability handling, tamper-evident packaging, and SBOM or component transparency where feasible. It also promotes diversification and contingency planning to mitigate concentration risk and geopolitical exposure, aligning resilience strategies with business impact analyses and change management.

A.5.22 requires ongoing monitoring and periodic review of supplier services to ensure agreed security and performance requirements are maintained. Monitoring should be risk-proportionate and evidence-based: collecting KPIs and KRIs, validating SLAs for availability and incident response, tracking vulnerability remediation timelines, and evaluating control attestations or audit reports. Real-world programs implement dashboards, structured quarterly business reviews, and event-driven reassessments after incidents, architectural changes, or negative press. Common failures include “set-and-forget” vendors, unverified remediation promises, and lack of visibility into fourth parties. Effective controls include contractual reporting obligations, continuous attack surface monitoring for exposed services, and targeted technical tests such as red team scenarios for managed providers. Candidates should describe how deviations trigger corrective actions, contract levers, or exit plans, and how lessons learned feed supplier tiers, requirements, and monitoring intensity to improve overall supply-chain assurance. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.