The Opportunity

Our client, an HM Government department, has a vast and complex supply chain across its many divisions and arm’s-length bodies, all of which require risk management in line with the current government security standards.

Our client needed a supplier to lead a number of initiatives to develop and deliver an ‘end-to-end’ approach to managing their supply chain security risk, which included the delivery of a security framework to:

1. Set out supplier obligations in regard to security risk management.
2. Provide a means to audit and assess supplier maturity in specific key control areas.
3. Deliver outcomes aligned to NCSC (National Cyber Security Centre) standards including the Cyber Assurance Framework (CAF) and the newly deployed GovAssure initiative.
4. Enable tools that become self-service to the wider business.

RedRock was the chosen supplier to deliver the Discovery and Alpha stages of this project.

Our Solution

Our recommended solution for this large government department was to deliver a bespoke version of RedRock’s Supplier Assurance Framework. Taking our foundational framework and overlaying our client’s requirements to align the framework to the need.

The foundation of RedRock’s established assurance framework is aligned with existing security frameworks and satisfies the requirements of the UK Government’s & NCSC’s strategy on reducing supply chain risk from cyber-related attacks.

The RedRock framework has been:

• Mapped to NCSC CAF, NIST CSF, ISO 27001 and other standards and frameworks for common control objectives and control measures.
• Mapped to common supply chain risks to framework controls, thus establishing a framework of requirements that harnesses the best and proportionate mitigating controls.

RedRock assembled a multi-disciplinary team who were distributed effectively across multiple workstreams, led by a RedRock Delivery Manager accountable for the outcome. The team’s capabilities spanned Delivery Management, Cyber Security, Business Analysis, Change Management & Communications Management.

Our Approach

RedRock’s NCSC-certified Cyber Security practitioners customised & deployed the framework, bespoke to this client, using the following approach:

• Evaluate the business needs by understanding the operational construct of the department, its divisions, ALBs and stakeholders.
• Discover existing mechanisms for advice and guidance in respect of Third Party Risk Management (TPRM) and alignment to best practice.
• Review the client-supplier population including a commercial assessment to identify common themes of potential cyber security risk.

• Develop framework profiles and categories specific to the services and service providers within this client.
• Create tools aligned to the client’s needs to assess the value or criticality of a service given specific criteria e.g., data values and volumes and mapping this to perceived impacts (low, moderate, high).
• Create mechanisms to assign appropriate tiered levels of assurance (control measures) in line with client risk management methodology.

• Pilot the framework with a broad scope of stakeholders to test, learn and adjust based on feedback and findings.
• Enable the client by providing comprehensive training, support and produce guidance documentation.
• Develop tools and processes in collaboration with our client to manage the framework ongoing and enable a wider deployment.

The Outcome

After an 18-month engagement including a pilot and other related workstreams, the bespoke framework was deployed.  It has enabled business users across the organisation to run a straightforward and comprehensive security assessment against their suppliers, significantly reducing the dependency on information security resources within the authority.

The success of the project resulted in several positive outcomes: