UnixTime

Research Note

RISK-0011 Unmanaged Supplier Security Exposure Due to Incomplete Supplier Inventory

Because suppliers, products, and services are not inventoried, owned, risk-tiered, and periodically reviewed, the organization may accept security exposure without knowing who is accountable or what controls apply.

On this page

RISK-0011

Risk summary

Likelihood
4
Impact
4
Score
16
Level
High
  1. 01

    Asset

    Supplier relationships, outsourced services, supplier-managed information, third-party access paths, supplier products, and service dependencies.

    Business object or system that needs protection.
  2. 02

    Threat

    Supplier compromise, supplier negligence, unmanaged subcontractor access, business disruption, unauthorized information disclosure, or supplier-caused control failure.

    Event, actor, or condition that can create harm.
  3. 03

    Vulnerability

    Supplier inventory, ownership, information exposure, risk tiering, assurance evidence, subcontractor visibility, and review cadence are missing or incomplete.

    Weakness that makes the threat relevant.
  4. 04

    Risk

    Because suppliers, products, and services are not inventoried, owned, risk-tiered, and periodically reviewed, the organization may accept security exposure without knowing who is accountable or what controls apply.

    Scenario evaluated with likelihood, impact, and ownership.
  5. 05

    Treatment

    Mitigate through a supplier security register, supplier owners, risk assessment, risk-tiered due diligence, subcontractor visibility, security agreement requirements, and periodic review.

    Decision path for reducing, accepting, transferring, or avoiding risk.

Assessment Rationale

Likelihood

The likelihood is high because supplier relationships change continuously and often begin through procurement, operations, or engineering before security ownership is fully recorded.

Impact

The impact is high because unmanaged suppliers can create data exposure, service disruption, contract failure, audit findings, and downstream compliance gaps.

Residual Risk

After treatment, residual risk is estimated as medium when all security-relevant suppliers are owned, risk-tiered, reviewed, and linked to agreement and assurance evidence.

Review Notes

Review after supplier onboarding, renewal, service scope changes, subcontractor changes, incidents, assurance findings, and material business or regulatory changes.

Software Object Mapping

  • risk
  • supplier
  • control
  • evidence
  • review
  • Iso27005
  • Risk
  • Iso27001
  • Supplier security

Note Metadata

Aliases: RISK-0011

Source: 05-Risk-Knowledge-Base/RISK-0011-Unmanaged-Supplier-Security-Exposure.md