UnixTime

Research Note

RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies

Because ICT supplier dependencies, subcontractors, hosting platforms, software components, and support parties are not identified or reviewed, a compromise or control failure outside the direct supplier may affect the organization.

On this page

RISK-0013

Risk summary

Likelihood
4
Impact
5
Score
20
Level
Critical
  1. 01

    Asset

    ICT services, SaaS platforms, managed services, software components, hosting dependencies, support chains, data flows, and operational technology dependencies.

    Business object or system that needs protection.
  2. 02

    Threat

    Indirect supplier compromise, dependency failure, malicious component insertion, subcontractor mishandling, hosting provider incident, support-party unauthorized access, or undisclosed material service change.

    Event, actor, or condition that can create harm.
  3. 03

    Vulnerability

    The supplier review stops at the direct supplier and does not record inherited dependencies, data locations, flow-down obligations, assurance evidence, or material change notification requirements.

    Weakness that makes the threat relevant.
  4. 04

    Risk

    Because ICT supplier dependencies, subcontractors, hosting platforms, software components, and support parties are not identified or reviewed, a compromise or control failure outside the direct supplier may affect the organization.

    Scenario evaluated with likelihood, impact, and ownership.
  5. 05

    Treatment

    Mitigate through ICT dependency mapping, supply-chain risk registers, flow-down clauses, subcontractor and hosting visibility, material change notification, assurance review, and risk reassessment after supplier changes.

    Decision path for reducing, accepting, transferring, or avoiding risk.

Assessment Rationale

Likelihood

The likelihood is high because modern ICT services are layered and suppliers routinely depend on cloud providers, subcontractors, support organizations, and third-party components.

Impact

The impact is critical because inherited ICT supply-chain compromise can affect confidentiality, integrity, availability, contractual commitments, regulatory duties, and incident response timelines.

Residual Risk

After treatment, residual risk is estimated as medium when critical ICT services have dependency visibility, contractual flow-down controls, assurance evidence, and reassessment after material changes.

Review Notes

Review after supplier architecture changes, hosting changes, subcontractor changes, component vulnerability advisories, ICT incidents, assurance report findings, and critical service renewal.

Software Object Mapping

  • risk
  • supplier
  • dependency
  • control
  • evidence
  • change
  • Iso27005
  • Risk
  • Iso27001
  • Supplier security
  • Ict supply chain

Note Metadata

Aliases: RISK-0013

Source: 05-Risk-Knowledge-Base/RISK-0013-Inherited-ICT-Supply-Chain-Compromise.md