Supply Chain Cyber Security

Cyber breaches within supply chains represent a significant and growing risk to global industry. NQC enables buyers to highlight risks to information in their supply chain, and help suppliers to understand and enhance their cyber security posture.

The service can be used to analyse suppliers, contracts, sub-contractors and categories.


  • Assess suppliers against best practice inc. ISO 27001 framework
  • Achieve Cyber Essentials certification down the supply chain
  • Standardised Red-Amber-Green supplier performance ratings
  • Automatic generation of cyber risk registers
  • Corrective Action Plans provided to every supplier
  • Dynamic and guided assessment helps suppliers to understand compliance
  • Standard registration and engagement process


  • Identify and mitigate cyber risks in the supply chain
  • Achieve compliance with HMG contracting requirements
  • Understand supply chain cyber posture
  • Improve security of information in the supply chain
  • Demonstrate best practice in cyber security
  • Clearer understanding of best practice amongst suppliers

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements Web browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We provide a Support Centre for 1st line support with additional technical resources for 2nd and 3rd line as required. Standard support times are 9am to 5pm Monday to Friday. Support response times are within 5 working days.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing Testing delivered in line with 18F Accessibility Guide.
Onsite support No
Support levels We provide a Support Centre for 1st line support with additional technical resources for 2nd and 3rd line as required. Standard UK hours of service are offered with English speaking staff and this cost is incorporated into our SaaS licence fees. Additional hours and languages can be included as required at an additional cost. Users can have access to a Service Delivery Executive and an Account Manager as required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Users are allocated a Service Delivery Executive who takes them through a detailed on-boarding process. This involves user set up and online training via webex alongside access to user guides and standard template documents.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction This is undertaken by our technical staff and shared securely with the user in an agreed format.
End-of-contract process Users will have the ability to extract relevant data from the system either via CSV or PDF. NQC are able to provide a bulk download of data at an additional cost. Licences are removed from the Service for the Users and any personal data is also removed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None - formatting designed to redraw when in mobile mode to make it easier to view, but content remains the same.
Service interface Yes
Description of service interface Web Browser
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Testing delivered in line with 18F Accessibility Guide.
What users can and can't do using the API Full documentation is available for the various APIs offered via the Service. The APIs enable users to query and extract a range of data sets from summary data to full responses. A range of standard calls have been created that provide users with the flexibility to extract the information they require.
API documentation Yes
API documentation formats
  • HTML
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users are able to customise their dashboards to view relevant data to their roles/requirements. This customisation is configurable by the user within their online account. Additional more complex customisation can be undertaken by NQC on behalf of users, for example, bespoke landing pages and content can be created as required.


Independence of resources Load balancing and compartmentalisation of virtual machines ensures users are able to receive a reliable and consistent service.


Service usage metrics Yes
Metrics types Standard metrics relate to Service consumption and will differ depending on the chosen service options. The metrics will typically include user logins, supplier completions, suppliers contacted etc. When supplier risk scores are available, further risk analysis is also provided as required via the Service Delivery Executive.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data in bulk via CSV or in individual PDF report format as required.
Data export formats CSV
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Our Service has an uptime target of 99.99% during peak hours – set between 8am and 10pm GMT. Outside of peak hours the application has an uptime target of 99.9%. Uptime covers all features of the NQC system being accessible as designed to the end-user. A Service credit regime is available but will be discussed and agreed on a client by client basis.
Approach to resilience Available on Request
Outage reporting Outages are flagged via a public dashboard and via email notification to users.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Both management interfaces and support channels are controlled via public key exchange and IP locking.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus Isoqar
ISO/IEC 27001 accreditation date 02/03/2017
What the ISO/IEC 27001 doesn’t cover Not applicable - the design, application and management of all our software solutions is included in the Scope/Statement of Applicability.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Nettitude
PCI DSS accreditation date Self assessment
What the PCI DSS doesn’t cover We fall under the self assessment category due to the third party providers we integrate with and the limited information we hold.
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The organisation is ISO27001 certified and have an infosec policy which has been approved by the Board and is reviewed on a regular basis. Staff are training on infosec as part of their induction and then at regular intervals thereafter. Non-adherence to the policy is a disciplinary offence and is strictly enforced.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes to any information service, system or resource used by or on behalf of NQC are required to be authorised through the Change Management process. Changes are controlled by a CAB (Change Advisory Board) so all aspects of a change can be discussed and analysed to assess its impact on each area of NQC information systems. Impact or risk assessment take into account information security, availability, capacity and performance of existing production systems.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Identified vulnerabilities for organisational assets are prioritised by HIGH, MEDIUM and LOW and the organisation has established the following timeline requirements for reacting to notifications of relevant vulnerabilities: HIGH = 2 hours, MEDIUM = 1 Week and LOW = 1 Month. All vulnerabilities that fall into the identify classifications will first be assessed for seriousness and required controls such as patching; turning off/removing services affected by the vulnerability; adapting or adding access controls; increased monitoring; awareness raising will be considered. The required controls will be actioned through the change management procedure. All high vulnerabilities are assessed by the CAB.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Any events or weaknesses detected through the monitoring of access logs, the use of alert services and the review of third party management information by the relevant asset/relationship owner fall within the scope of the protective monitoring procedure. The Information Security Manager identifies a course of action and timescale to correct any potential issue, dependent upon the effect the issue is likely to have and to what degree, for example isolation/suspension of the relevant facilities/service is implemented, as deemed necessary. The actions will rectify and prevent recurrence of the issue.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Management responsibilities and procedures have been established to ensure a quick, effective and orderly response to information security incidents that ensures appropriate corrective or preventative actions, restores normal operations as quickly as possible, and ensures that improvement opportunities are identified and acted upon. Employees or third party who becomes aware of an issue which does not meet the organisation’s defined approach and standards, or which has the potential for such an adverse effect, raises this immediately to the Information Security Manager either verbally or via email.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £50 per unit
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑