RISK-0012
Risk summary
- Likelihood
- 4
- Impact
- 4
- Score
- 16
- Level
- High
- 01
Asset
Supplier agreements, shared information, supplier access, support access, contractual obligations, security schedules, and supplier responsibility boundaries.
Business object or system that needs protection. - 02
Threat
Supplier non-performance, delayed incident notification, unauthorized subcontractor use, weak data handling, unsupported audit requests, or uncontrolled termination and exit behavior.
Event, actor, or condition that can create harm. - 03
Vulnerability
Security clauses, responsibility matrices, incident notification, access requirements, audit/assurance rights, subcontractor flow-down, and exit terms are absent, generic, or not approved before access.
Weakness that makes the threat relevant. - 04
Risk
Because supplier security requirements are not formally agreed before information sharing or access begins, the organization may rely on informal expectations that cannot be enforced during incidents, disputes, audits, or termination.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through risk-based supplier security requirements, authorized agreement approval, responsibility matrices, required security clauses, exception approval, and access gating before supplier work begins.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because supplier access is often operationally urgent and can start before contract language, legal review, and security review are complete.
Impact
The impact is high because missing agreement requirements weaken enforcement, limit incident response options, create audit gaps, and can leave customer or regulated data without clear obligations.
Residual Risk
After treatment, residual risk is estimated as medium when supplier access is blocked until security requirements are approved or exceptions are risk-accepted by the correct authority.
Review Notes
Review during onboarding, renewal, material service change, supplier exception approval, incident notification failures, audit findings, and contract termination planning.
Software Object Mapping
- risk
- supplier
- agreement
- control
- evidence
- Iso27005
- Risk
- Iso27001
- Supplier security
- Contracts
Note Metadata
Aliases: RISK-0012
Source: 05-Risk-Knowledge-Base/RISK-0012-Supplier-Access-Before-Security-Requirements-Are-Agreed.md