UnixTime

Research Note

ICT Supply Chain Risk Register

Use this for critical ICT products and services where subcontractors, cloud platforms, hosting providers, software components, support parties, or other dependencies may affect...

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this for critical ICT products and services where subcontractors, cloud platforms, hosting providers, software components, support parties, or other dependencies may affect information security.

Register

ICT product/service Direct supplier Business owner Criticality Known dependencies Data/access exposure Data location Change notification required Assurance reviewed Key risks Controls/actions Review date

Review questions

  • Who else helps deliver the service?
  • Which parties can access organizational data or systems?
  • Where is data stored, processed, backed up, or supported from?
  • What supplier changes require notification or approval?
  • Are security obligations flowed down to relevant subcontractors?
  • Has assurance evidence been reviewed for critical dependencies?
  • Has the risk assessment been updated after material changes?