RISK-0014
Risk summary
- Likelihood
- 4
- Impact
- 4
- Score
- 16
- Level
- High
- 01
Asset
Supplier services, supplier controls, service reports, supplier access, supplier change records, assurance reports, incident notifications, and contract variations.
Business object or system that needs protection. - 02
Threat
Uncontrolled supplier service change, degraded supplier security practice, repeated supplier finding, missed supplier incident, unreviewed support change, or silently changed data processing location.
Event, actor, or condition that can create harm. - 03
Vulnerability
Supplier monitoring is one-time, reports are stored but not evaluated, material changes are accepted by operations without security review, and corrective actions are not tracked.
Weakness that makes the threat relevant. - 04
Risk
Because supplier service reports, security practices, incidents, and material changes are not actively reviewed, supplier risk may increase after onboarding without triggering control updates or management decisions.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through assigned supplier owners, scheduled reviews, service and security report review, change logs, risk reassessment, incident integration, corrective action tracking, and contract update review.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because suppliers change platforms, staff, subcontractors, service scope, locations, and controls over time while the original onboarding evidence becomes stale.
Impact
The impact is high because unreviewed supplier changes can bypass agreed controls, break contract assumptions, increase regulatory exposure, and delay incident or corrective action.
Residual Risk
After treatment, residual risk is estimated as medium when high-risk suppliers have review records, material changes trigger reassessment, and findings produce tracked corrective actions.
Review Notes
Review after supplier reports, SLA misses, security incidents, assurance findings, service scope changes, location changes, support model changes, and contract variations.
Software Object Mapping
- risk
- supplier
- review
- change
- control
- evidence
- Iso27005
- Risk
- Iso27001
- Supplier security
- Supplier monitoring
- Change management
Note Metadata
Aliases: RISK-0014
Source: 05-Risk-Knowledge-Base/RISK-0014-Supplier-Service-Change-Without-Risk-Review.md