Supply Chain Resilience Standards Can Help Formulate Policy

By |2024-01-20T21:15:23+00:00September 20th, 2023|0 Comments

Public and private sector organizations that depend on their supply chains will benefit from standards and guidance to establish supply chain continuity and resilience.

Supply chains are integral components of just about any type of business, in both public and private sectors.  They ensure that resources needed by an organization can be procured and delivered as needed so that a finished product or service can be produced. They also provide the channels for organizations to deliver their goods and services.  Loss of or disruption to supply chains – without any procedures to mitigate such disruptions – can negatively affect an organization’s ability to perform its work and may cause reputational damage.

Achieving resilient supply chains can be a complex process, especially if components in the supply chain are at risk.  As chains get increasingly complex and further removed from the primary organization, a break in a supply chain may be almost impossible to predict and detect – until it occurs and the domino effect is felt.

Supply chain standards and why they are important

While there are currently very few supply-chain-resilience-specific standards, many documents are available that provide guidance on supply chains and supply chain security.  Additional standards and guidance documents address issues aligned with supply chains, such as business continuity and cybersecurity.  Insights and guidance from these documents can be used to formulate a policy on supply chain resilience and procedures for analyzing supply chains and developing procedures for mitigating disruptions.

The following are standards organizations and examples of current standards that directly apply to supply chain continuity or indirectly via cybersecurity, business continuity and other disciplines.

ASIS International (

ASIS has a large library of articles, papers, reports and guidance on supply chains and supply chain security.  One example in particular is Supply Chain Risk Management – A Compilation of Best Practices Standard (2014). The standard offers a practitioner-focused framework to gather supply chain resources and establish a baseline for assessing and responding to supply chain risks.  Read about the standard by clicking here.

National Institute for Standards and Technology (NIST,

The standards agency issued an update in 2021 for its Interagency Report 7622, National Supply Chain Risk Management Practices for Federal Information Systems, which provides guidance on how to understand supply chains and achieve visibility throughout the chain.  While the focus is on information systems, the guidance can be applied to other non-IT situations.  The document can be reviewed by clicking here.

NIST has also developed programs in manufacturing and supply management, especially the Manufacturing Extension Partnership (MEP,, a nationwide public-private partnership that provides a broad range of services to small- and medium-sized manufacturers.  Among the many services is expertise in cybersecurity management, a key risk factor in supply chains.  NIST’s many other standards in security, risk management, and continuity can be applied to supply chain resilience programs.  These can include the following:

SP 800-34 (2020)

Contingency Planning Guide for Federal Information Systems: Widely used for developing technology disaster recovery (DR) plans for government IT systems; it is also applicable to private sector organizations

SP 800-53 Rev5 (2020)

Security and Privacy Controls for Informati0on Systems and Organizations: Provides guidance on security controls for IT systems, and can be applied to systems used in supply chains

International Organization for Standardization (

The ISO is a global standards organization that has developed dozens of standards that address security, continuity and resilience.  Among the standards addressing supply chains – either directly or indirectly – are the following:

ISO 22301:2019 Societal Security – Business continuity management systems – Requirements: This is generally regarded as the global standard for business continuity.  Its guidance for developing business continuity management systems (BCMS) can be applied to supply chains.  It is also a standard for which certification is available.

ISO 22313:2020 Societal Security – Business continuity management systems – Guidance:  This is the companion to ISO 22301 and provides guidance on how to implement a BCMS

ISO 22317:2021 Security and resilience – Business continuity management systems – Guidelines for business impact analysis: BIAs are important tools for gathering data about suppliers, dependencies on vendors and suppliers, and generates data that can be used in the next standard

ISO 22318:2021 Security and resilience – Business continuity management systems – Guidelines for supply chain continuity management: This standard defines supply chain continuity management (SCCM), examines issues an organization may face if a disruption to their various supply chains occurs and provides guidance on how to prepare for and mitigate such events if they occur.

ISO 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements: This is a global information security standard whose guidance can be applied to the security of supply chains.  It is also a standard for which certification is available.

ISO 28000:2022 Security and resilience – Security management systems – Requirements: A relatively new standard, ISO 28000 provides details on building and deploying a security management system, and includes content relevant to supply chains.  It is vendor and industry sector agnostic, and can provide additional insights for protecting supply chains.

How to effectively use supply chain standards

When faced with the task of developing a program addressing supply chain resilience, consider examining the standards in this article.  Ensure that senior management supports the initiative and identify players in the organization who are likely to have expertise on supply chains they use.  If a BIA has been previously performed, check to see if it addressed supply chains.  If not, consider launching a BIA focused on supply chains and their impact to the organization.  Review the ASIS standard and ISO 22318 for starters, as they will provide insights on the nuances of supply chains.  The other standards listed can provide valuable inputs to security and continuity issues, perhaps even to establish a supply chain resilience management system.

# # # #

Recommend0 recommendationsPublished in Enterprise Resilience

Share This Story, Choose Your Platform!

About the Author:

Paul Kirvan, FBCI, CISA, is an independent business resilience consultant, IT auditor, and technical writer with over 35 years of experience.  Mr. Kirvan is a Fellow of the Business Continuity Institute (FBCI), a Certified Information Systems Auditor (CISA) and a member of the Resilience Association.   [email protected]

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.