great importance on protecting the confidentiality, integrity and availability
of its data and information systems. Due to the ever-evolving threat landscape,
increasing supply chain complexity and regulatory pressure, it is our responsibility
to maintain measures to control and manage the security within our supply chain
As part of those
measures, Rolls-Royce requires our suppliers to adhere to a set of cyber
security standards, which is determined on a supplier impact assessment.
There are two cyber
security standards, the Rolls-Royce Supplier Baseline Cyber Security Standard and the Rolls-Royce Supplier Enhanced Cyber Security Standard, which are accessible
below. The results of the impact assessment enable Rolls-Royce to determine the
most appropriate cyber security standard that best suits the suppliers risk
profile, for example, a supplier of strategic importance or a supplier handling
highly confidential Rolls-Royce data will warrant a greater level of cyber
security maturity and compliance with the Rolls-Royce Supplier Enhanced Cyber
If you are unable to
comply with any measures contained in the cyber security standard applicable to
your contract then Rolls-Royce will agree with you in good faith a remediation
plan to achieve compliance with the measures as part of the incorporation of
the relevant cyber security standard into the supplier contract.
As all companies are
potential targets, working together to minimise the risk of cyber incursion is
important. Threat actors are indiscriminate in their use of supply chains to
access networks and therefore we would request that all our suppliers support
us in preventing any malicious activity and immediately contact Rolls-Royce on
UK.SOC@rolls-royce.com if you identify anything that causes you concern or
suggests that anything untoward has occurred on your network.
If you have any
questions about the mandated cyber security requirement then please send your
questions to RRITSecurityCompliance@rolls-royce.com. For all other queries, please contact your
Rolls-Royce Procurement point of contact.