RISK-0013
Risk summary
- Likelihood
- 4
- Impact
- 5
- Score
- 20
- Level
- Critical
- 01
Asset
ICT services, SaaS platforms, managed services, software components, hosting dependencies, support chains, data flows, and operational technology dependencies.
Business object or system that needs protection. - 02
Threat
Indirect supplier compromise, dependency failure, malicious component insertion, subcontractor mishandling, hosting provider incident, support-party unauthorized access, or undisclosed material service change.
Event, actor, or condition that can create harm. - 03
Vulnerability
The supplier review stops at the direct supplier and does not record inherited dependencies, data locations, flow-down obligations, assurance evidence, or material change notification requirements.
Weakness that makes the threat relevant. - 04
Risk
Because ICT supplier dependencies, subcontractors, hosting platforms, software components, and support parties are not identified or reviewed, a compromise or control failure outside the direct supplier may affect the organization.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through ICT dependency mapping, supply-chain risk registers, flow-down clauses, subcontractor and hosting visibility, material change notification, assurance review, and risk reassessment after supplier changes.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because modern ICT services are layered and suppliers routinely depend on cloud providers, subcontractors, support organizations, and third-party components.
Impact
The impact is critical because inherited ICT supply-chain compromise can affect confidentiality, integrity, availability, contractual commitments, regulatory duties, and incident response timelines.
Residual Risk
After treatment, residual risk is estimated as medium when critical ICT services have dependency visibility, contractual flow-down controls, assurance evidence, and reassessment after material changes.
Review Notes
Review after supplier architecture changes, hosting changes, subcontractor changes, component vulnerability advisories, ICT incidents, assurance report findings, and critical service renewal.
Software Object Mapping
- risk
- supplier
- dependency
- control
- evidence
- change
- Iso27005
- Risk
- Iso27001
- Supplier security
- Ict supply chain
Note Metadata
Aliases: RISK-0013
Source: 05-Risk-Knowledge-Base/RISK-0013-Inherited-ICT-Supply-Chain-Compromise.md