Framework FAQs
      Back to home
      2. Framework FAQs

      CAF - A4.a Supply Chain (third-party) risk management

      This article provides additional information on how you can meet the requirement for the CAF control - A4.a Supply Chain (third-party) risk management

      CAF requires organisations to understand dependencies on suppliers and effectively manage the risks associated with suppliers to the security of network and information systems.

      A Supplier (Vendor) Management Policy should be documented that outlines the supplier risk management approach that must be followed. 

      Supplier due diligence

      • All suppliers and sub-contractors that hold confidential company or client information are recorded in the Vendor Register within Adoptech, where risks, dependencies and assurance activities are tracked.
      • During onboarding suppliers are assessed based on their security posture, ownership structure, geographic considerations, use of subcontractors, and any factors that may increase exposure to well-resourced threat actors. This assessment informs purchasing decisions and is repeated for critical suppliers at regular intervals.
      • For suppliers that support systems underpinning essential functions (e.g. hosting providers, monitoring tools, backup services, SaaS platforms), evidence of appropriate and proportionate security controls is required. This may include certifications (such as ISO 27001), SOC 2 reports, penetration tests, or contractual commitments. Certification such as this are recorded within the Vendor Register.
      • Relevant contracts include clearly defined security requirements, roles, responsibilities, and data-handling obligations. Where applicable, contract management plans are maintained for critical suppliers to ensure ongoing assurance.
      • All third-party access, integrations, and data flows are reviewed and approved before being enabled. 

      Ongoing Supplier Management

      • Ongoing monitoring ensures that supplier connections and data sharing remain appropriately secured and proportionate to risk.
      • Periodic reviews of supply chain risks through the review of the Vendor Register in the quarterly security management meetings
      • Updated supplier assessments whenever threats, services, or dependencies change.

      Supplier communication during incident response

      Our incident response process includes provisions for coordinating with suppliers when an incident involves shared systems or services, ensuring timely escalation, collaboration, and resolution.