The increasing cyber-attacks on the cyber supply chains have put organizational integrity and data security at risk, as such, it is important to understand how to enhance Cyber Supply Chain Risk Management (CSCRM) frameworks. This study investigates the application, effectiveness, and challenges of three frameworks (ISO, NIST, and NIS2) in the context of mitigating third-party risks in the cyber supply chain. This study uses a qualitative research approach and data was gathered with semi-structured interviews of eight domain experts in the field of information security. Participants of this study gave the study valuable data and insights into the real-world application of their perceptions of these frameworks in CSCRM. This study used reflexive thematic analysis to understand and analyze the collected data. The findings showed that while there is consensus amongst the domain experts regarding the framework’s flexibility and adaptability, the frameworks do have some difficulties regarding their complexity and resource-intensive implementation process.

Furthermore, it was also found that the effectiveness of these frameworks in enhancing organizational data security and asset protection is dependent on the specific adoption and implementation practices within organizations. Overall, the findings of this study show that while the theoretical underpinnings of these frameworks are strong, in such a way that they are comprehensive and effective, applying them into an organizational context is challenging due to difficulties in the practical implementation. This study contributes to the field of CSCRM practices and strategies by providing valuable findings that organizations who are aiming to strengthen their cyber defense in their cyber supply chain may use. Furthermore, the findings may also provide valuable insights for policymakers to better understand challenges for future improvements.