Governance, CI/CD, Vendors, and Software Supply Chain
This checklist reflects how NIS2 supply chain requirements are actually reviewed by auditors and supervisory authorities. It focuses on governance, technical enforcement, and evidence, rather than high-level policy statements.
Use this checklist to assess readiness before an audit or to guide evidence preparation during supervision.
1. Scope and Supplier Identification
Auditor focus
Are all relevant suppliers identified and in scope?
Checklist
- ⬜ Supplier inventory exists and is maintained
- ⬜ Inventory includes:
- software vendors
- CI/CD platforms
- cloud and infrastructure providers
- outsourced ICT services
- ⬜ Suppliers are mapped to supported services or systems
- ⬜ Supply chain scope is formally documented
Typical red flags
- CI/CD providers excluded from supplier scope
- Incomplete or outdated supplier lists
2. Supplier Criticality and Risk Classification
Auditor focus
Are supply chain risks assessed proportionally?
Checklist
- ⬜ Suppliers are classified by criticality
- ⬜ Classification criteria include:
- impact on essential services
- level of privileged access
- data sensitivity
- substitutability
- ⬜ Risk assessments are documented and repeatable
- ⬜ Critical suppliers are clearly identified
Typical red flags
- No distinction between critical and non-critical suppliers
- Risk assessments performed informally
3. Supplier Governance and Ownership
Auditor focus
Who is accountable for supplier risk?
Checklist
- ⬜ Each supplier has a clearly assigned internal owner
- ⬜ Supplier governance roles are defined
- ⬜ Periodic supplier reviews are performed
- ⬜ Supplier-related risks are escalated appropriately
Typical red flags
- Supplier ownership unclear or implicit
- No evidence of ongoing supplier oversight
4. Procurement and Contractual Controls
Auditor focus
Are cybersecurity requirements enforceable?
Checklist
- ⬜ Cybersecurity requirements integrated into procurement
- ⬜ Contracts include:
- security obligations
- incident notification requirements
- cooperation clauses
- ⬜ Security clauses applied consistently to critical suppliers
- ⬜ Contract exceptions are documented and justified
Typical red flags
- Security requirements applied inconsistently
- No traceability between contracts and risk assessments
5. CI/CD Supply Chain Controls
Auditor focus
How is supply chain risk enforced technically?
Checklist
- ⬜ CI/CD pipelines are mandatory for production changes
- ⬜ Access to CI/CD platforms is restricted (RBAC, MFA)
- ⬜ Pipeline modifications are controlled and logged
- ⬜ Segregation of duties is enforced via approvals
- ⬜ Third-party integrations in CI/CD are governed
Typical red flags
- Manual or out-of-band deployments
- Over-privileged CI/CD service accounts
6. Dependency and Software Integrity Controls
Auditor focus
How do you trust what you deploy?
Checklist
- ⬜ Dependency inventories exist for critical applications
- ⬜ Dependency scanning (SCA) is performed
- ⬜ Critical vulnerabilities trigger remediation or decision
- ⬜ SBOMs are available for critical systems (where applicable)
- ⬜ Artifact integrity and provenance are ensured
Typical red flags
- No visibility into dependencies
- Inability to trace deployed artifacts
7. Third-Party Access Management
Auditor focus
Do suppliers have controlled access?
Checklist
- ⬜ Third-party and service accounts are inventoried
- ⬜ Access follows least privilege principles
- ⬜ Privileged access is approved and logged
- ⬜ Periodic access reviews are performed
- ⬜ Access revocation procedures exist
Typical red flags
- Long-lived supplier accounts without review
- Shared or undocumented credentials
8. Monitoring and Detection
Auditor focus
Can you detect supply chain-related events?
Checklist
- ⬜ CI/CD pipeline activity is monitored
- ⬜ Dependency vulnerability alerts are monitored
- ⬜ Supplier-related anomalies are detectable
- ⬜ Alerts have defined escalation paths
Typical red flags
- Logs exist but are not reviewed
- No alerting for CI/CD or dependency issues
9. Incident Response and Supplier Coordination
Auditor focus
Are you prepared for supplier incidents?
Checklist
- ⬜ Incident response plans include supplier scenarios
- ⬜ Supplier escalation and notification paths are defined
- ⬜ Ability to revoke supplier access quickly
- ⬜ Incident simulations or tests performed
- ⬜ Post-incident reviews documented
Typical red flags
- Supplier incidents handled ad hoc
- No documented coordination process
10. Evidence Retention and Auditability
Auditor focus
Can evidence be produced on demand?
Checklist
- ⬜ Evidence retention periods are defined
- ⬜ CI/CD logs and security records are retained
- ⬜ Supplier documentation is archived
- ⬜ Historical evidence can be retrieved
Typical red flags
- Short retention periods
- Evidence scattered across systems
Final Auditor Assessment Questions
Before closing an audit, supervisors typically ask themselves:
- Are supply chain risks clearly understood?
- Are controls enforced technically, not just documented?
- Is evidence reliable, complete, and retrievable?
- Is CI/CD treated as part of the regulated environment?
If these questions can be answered confidently, NIS2 supply chain readiness is usually considered satisfactory.
Conclusion
NIS2 supply chain compliance is evaluated through evidence, enforcement, and accountability. This checklist reflects how auditors assess maturity in practice and helps organizations identify gaps before supervision occurs.
Related Content
- NIS2 Supply Chain Evidence Pack
- NIS2 Supply Chain Security Deep Dive
- NIS2 Security Architecture — Explained
- Supplier Governance & CI/CD Controls Checklist
- How Auditors Actually Review CI/CD Pipelines
