On 27 July 2020 the National Information Security Standardisation Technical Committee published the Information Security Technology – Security Requirements for the Supply Chain of Information Technology Products (Draft for Comment) for public consultation.(1) The consultation period ended on 26 September 2020.

The requirements, as a recommended national standard, will apply to the security management activities of the IT product supply chain for government information systems and critical information infrastructure. They will also provide a reference for the supply chain security management activities of other information systems.

According to the draft requirements, IT product suppliers should, among other things:

  • undertake a supply chain security risk assessment;
  • develop a traceability strategy for purchased IT products and components, recording and retaining such information as the origin and original supplier of the IT products and components; and
  • establish and implement a safety development process for IT products, clarifying development management requirements, safety control measures and personnel codes of conduct, among other things.

Further, customers should, among other things:

  • establish and maintain a catalogue of qualified suppliers; and
  • regularly assess the risk of:
    • IT product supply being interrupted;
    • authorisation being suspended; and
    • product upgrades or technical support services being refused.

Endnotes

(1) Further information is available here.