A supply-chain attack targets an organisation’s supply chain: the attacker compromises a vendor, an open-source library, or an update mechanism to reach the actual target systems. Prominent examples include SolarWinds and the log4j vulnerability. You counter supply-chain attacks with SBOM analysis, SCA tools, code signing, supplier assessments, and network segmentation. In an ISMS, supply-chain security falls under the controls in ISO 27001 Annex A 5.19-5.22 and is growing in importance as reliance on third-party software increases.