ICT Supplier Risk Management: A Practical Guide for UK SMEs

The Supplier Problem You Probably Do Not Know You Have

Every piece of technology in your business — the cloud platform your data lives on, the SaaS tool your team uses for collaboration, the managed service provider that runs your network — is a supplier. And every supplier is a potential point of failure, both operationally and from a security perspective.

For most SMEs, this reality has crept up gradually. You signed up for a productivity tool in 2019, moved your infrastructure to the cloud in 2021, and outsourced your security monitoring last year. Each decision made sense in isolation. Together, they have created a technology supply chain that you probably do not fully understand and are not actively managing.

The NCSC's 2024 guidance on supply chain security made clear that SMEs are increasingly in scope for the same supply chain expectations that apply to larger organisations — partly because attackers know that SMEs often have weaker controls on their supplier relationships than their larger counterparts.

This guide covers how to assess, manage, and monitor ICT supplier risk without a dedicated procurement function. The goal is proportionate, practical — something a busy IT leader or managing director can actually implement.

Why ICT Supplier Risk Is Different From General Procurement Risk

ICT supplier risk has characteristics that distinguish it from other types of supplier risk in your business.

Data sovereignty and third-party data handling. Your supplier holds or processes your data — potentially your customers' data, your financial information, your intellectual property. When something goes wrong with the supplier — a breach, a service failure, a company failure — your data is directly affected. This is not the same as a widget supplier who might run late on a delivery.

Shared infrastructure and security dependencies. Many SMEs use shared cloud infrastructure, SaaS platforms with multi-tenant architectures, or managed service providers who connect to your network. A security failure at the supplier can become a security failure inside your environment. The SolarWinds attack demonstrated how a perimeter-based security model fails when a supplier has trusted network access. An identity-first security architecture limits this blast radius by verifying every request regardless of origin.

Service continuity dependencies. If your managed service provider fails — they lose key staff, they have a catastrophic infrastructure failure, they go out of business — how quickly does your business stop functioning? For many SMEs the answer is uncomfortably quickly.

The security baseline question. Every supplier you give access to your systems is a supplier who could become a vector for an attack. Understanding what controls they have in place, and what access they have to your environment, is foundational to managing ICT supplier risk.

Building an ICT Supplier Risk Assessment Framework

You cannot manage what you do not understand. The starting point is a structured assessment of the supplier relationships that matter most to your business.

Step 1: Map Your ICT Supplier Portfolio

Start with a simple inventory. For each ICT supplier, capture:

• The service or technology provided
• The criticality of that service to your business operations
• The type and sensitivity of data they hold or process
• The degree of technical access they have to your systems
• The contract owner within your organisation

Criticality matters here. A supplier providing your corporate broadband is important but you could switch within days. A supplier providing the platform on which your core business application runs is critical — losing them would be a business continuity event. Separate your suppliers into tiers based on how quickly a failure would affect your business.

Step 2: Assess Against Risk Dimensions

For each significant supplier, assess the risk across a small number of dimensions that are relevant to ICT suppliers:

Security posture. What security controls does the supplier have in place? Do they have a recognised certification — ISO 27001, Cyber Essentials, SOC 2? Have they had any known security incidents in the past 24 months? What does their vulnerability management programme look like?

Financial stability. Are they a company you can rely on to be operating in 3 years' time? This matters most for suppliers where service continuity is critical — SaaS platforms with your data in them, managed service providers running your infrastructure. Companies House filing search is a basic starting point; for higher-value suppliers, ask for financial references or look at credit ratings.

Data handling practices. Where is your data stored? Who has access to it? What are their data retention and deletion policies? Do they sub-process data to third parties, and if so, under what controls? If they are processing personal data under UK GDPR, they are a data processor and you need a Data Processing Agreement — but that is the legal minimum, not the security benchmark.

Resilience and continuity. What is their actual uptime track record? Do they have documented disaster recovery capabilities? How do they communicate service incidents to customers? Do they test their recovery procedures?

Contractual protections. What do your contracts actually say about liability, data portability, service levels, and exit? Many SMEs sign standard terms without reviewing them and then discover the protections they assumed were there are not.

Step 3: Classify and Prioritise

Once you have assessed your suppliers against these dimensions, classify them into categories:

Critical suppliers — those with high business criticality, significant data access, or significant system access. These need the most thorough ongoing management and the most careful contract terms.

Important suppliers — those with moderate business criticality or moderate data access but not core to your immediate operations. Periodic review is appropriate.

Low-risk suppliers — commodity services where switching is easy and data exposure is minimal. Annual reviews or basic monitoring is sufficient.

The goal is to focus your management energy where it matters. You do not need to treat every SaaS subscription with the same rigour as your managed security provider.

Key ICT Supplier Risks to Monitor

Beyond the initial assessment, there are specific risk patterns that ICT suppliers present which you should monitor on an ongoing basis.

Concentration Risk

Many SMEs have become highly dependent on a single supplier for a whole category of technology. Using Microsoft 365 for email, collaboration, identity management, and device management means that if Microsoft has a significant outage or a serious security incident, your entire productivity stack is affected simultaneously.

This is not necessarily wrong — Microsoft's security posture is likely better than a bespoke alternative — but it means you need to understand your concentration dependencies and have contingency plans for the scenarios where your primary supplier fails.

The 2024 CrowdStrike incident demonstrated how concentrated risk can cascade. A single software update from a security vendor caused widespread IT outages affecting airlines, healthcare providers, and financial institutions globally. For SMEs, the lesson is clear: understand where your single points of failure are, even if they are large and reputable suppliers.

Access and Authentication Risk

Every supplier who has access to your systems — whether through a VPN connection, a management portal, a third-party integration, or a remote support tool — is a potential vector for compromise. The 2019 Travelex incident, where attackers used a remote access tool to gain entry and deploy ransomware, is an example of a supplier access path being exploited.

Questions to ask:

• Which suppliers have persistent access to your network?
• What authentication controls are in place for that access?
• Are there supplier accounts with admin privileges that could be exploited?
• Do you have visibility of when suppliers access your systems?

For managed service providers and other suppliers with technical access, insist on:

• Multi-factor authentication for all supplier accounts
• Time-limited access where possible (no persistent access for routine support)
• Audit logging of supplier access activities
• Regular review of who has access — remove access when the engagement ends

Sub-processor and Fourth-Party Risk

Your SaaS suppliers use other suppliers. Your managed service provider uses data centres, software platforms, and potentially other sub-contractors. Each link in that chain introduces risk that you may not see or manage directly.

UK GDPR requires you to know about sub-processors — you should have visibility of who your key data processors use as sub-processors. Beyond GDPR, the operational risk is that a sub-processor failure at a critical supplier cascades to affect your operations.

For significant ICT suppliers, ask:

• Who are their key sub-processors?
• What controls do they have in place over those sub-processors?
• How quickly would they notify you if a sub-processor had a significant incident?

Data Portability and Exit Risk

One of the most underappreciated ICT supplier risks is the difficulty of getting your data back if you need to leave a supplier. Many SaaS platforms make data extraction deliberately difficult, or impose long timelines on data export, or charge for bulk data exports.

Before committing to any significant ICT supplier, establish:

• How easy is it to export your data in a usable format?
• What are the timeframes and costs for a full data export?
• What happens to your data if the supplier goes out of business?
• Can you migrate to an alternative supplier within a reasonable timeframe?

If the answers to these questions are "difficult", "slow", or "expensive", you have an exit risk that you should factor into your supplier selection decision and manage through the life of the relationship.

Practical ICT Supplier Risk Management

With your assessments complete, the ongoing challenge is maintaining visibility and control without dedicating disproportionate resource to supplier management.

Contracts Are Your Primary Tool

Your contracts with ICT suppliers are where your risk management requirements become obligations. Before signing any significant ICT supplier contract, ensure it includes:

• Clear service level commitments with remedies for failure
• Data processing terms that reflect your UK GDPR obligations (if they handle personal data)
• Provisions for security incidents — notification timeframes, communication obligations, investigation cooperation
• Exit provisions — data migration assistance, timelines, costs
• Liability provisions that reflect the value of what they are providing (not the supplier's standard liability cap, which is often ridiculously low relative to the damage they could cause you)

If you are presented with a standard contract that does not reflect these protections, push back. Significant ICT suppliers are accustomed to contract negotiation, particularly for engagements of meaningful value.

Security Questionnaires

For critical ICT suppliers, use a standardised security questionnaire to assess their security posture. The NCSC's questionnaire guidance provides a good starting point, and there are standardised frameworks (like CAI's supplier security questions) that you can adapt for your use.

Do not expect perfection — the goal is to understand the supplier's security posture and identify gaps that are material to your risk. A supplier with ISO 27001 certification has demonstrated commitment to security; one without should be able to demonstrate equivalent controls through their questionnaire responses.

Continuous Monitoring

Supplier risk is not a one-time assessment — it requires ongoing monitoring. Practical approaches include:

• Subscribe to your key suppliers' status pages and incident communications
• Set calendar reminders for periodic review (every 6 months for critical, annually for important)
• Monitor your supplier's public-facing security announcements
• Track any reported incidents that might affect your data or services
• Review access logs periodically to ensure supplier access is appropriate

For managed service providers specifically, require quarterly service reviews that cover security updates, incident history, and any changes to their service delivery.

Incident Response Planning for Supplier Failures

For your most critical ICT suppliers, have a documented plan for what happens if they fail. Not their fault — a major cloud provider going down is not their fault — but a plan for how you maintain business continuity while the issue is resolved.

This means:

• Knowing what your supplier's incident communication protocols are
• Having internal escalation paths defined for supplier incidents
• Understanding your manual workarounds if a critical service is unavailable
• Testing recovery procedures for scenarios where the supplier cannot recover quickly

Specific Concerns for Technology Suppliers Under NIS2

If your organisation is in a sector subject to the NIS2 Directive — or if you are considering whether you might be — the supply chain security requirements are becoming more stringent. NIS2 places explicit obligations on essential and important entities to manage ICT supplier risk as part of their overall risk management approach.

Even if you are not yet subject to NIS2, its requirements reflect a direction of travel in UK cyber regulation that is relevant to well-governed SMEs. The NCSC's guidance on supply chain security provides a reasonable framework for any organisation that wants to take ICT supplier risk seriously.

Getting Started

The most effective first step is the supplier inventory. If you do not know who your ICT suppliers are, you cannot manage the risk. Start there, build your assessment, and tackle the critical suppliers first.

If you need help reviewing your ICT supplier relationships, assessing your supply chain risk, or establishing a supplier management framework, our IT governance framework guide covers the broader governance context that supplier risk sits within. Get in touch to discuss your specific situation. We work with UK SMEs to build proportionate IT governance practices that protect the business without creating bureaucratic overhead.