RISK-0011
Risk summary
- Likelihood
- 4
- Impact
- 4
- Score
- 16
- Level
- High
- 01
Asset
Supplier relationships, outsourced services, supplier-managed information, third-party access paths, supplier products, and service dependencies.
Business object or system that needs protection. - 02
Threat
Supplier compromise, supplier negligence, unmanaged subcontractor access, business disruption, unauthorized information disclosure, or supplier-caused control failure.
Event, actor, or condition that can create harm. - 03
Vulnerability
Supplier inventory, ownership, information exposure, risk tiering, assurance evidence, subcontractor visibility, and review cadence are missing or incomplete.
Weakness that makes the threat relevant. - 04
Risk
Because suppliers, products, and services are not inventoried, owned, risk-tiered, and periodically reviewed, the organization may accept security exposure without knowing who is accountable or what controls apply.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through a supplier security register, supplier owners, risk assessment, risk-tiered due diligence, subcontractor visibility, security agreement requirements, and periodic review.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because supplier relationships change continuously and often begin through procurement, operations, or engineering before security ownership is fully recorded.
Impact
The impact is high because unmanaged suppliers can create data exposure, service disruption, contract failure, audit findings, and downstream compliance gaps.
Residual Risk
After treatment, residual risk is estimated as medium when all security-relevant suppliers are owned, risk-tiered, reviewed, and linked to agreement and assurance evidence.
Review Notes
Review after supplier onboarding, renewal, service scope changes, subcontractor changes, incidents, assurance findings, and material business or regulatory changes.
Software Object Mapping
- risk
- supplier
- control
- evidence
- review
- Iso27005
- Risk
- Iso27001
- Supplier security
Note Metadata
Aliases: RISK-0011
Source: 05-Risk-Knowledge-Base/RISK-0011-Unmanaged-Supplier-Security-Exposure.md