When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this for critical ICT products and services where subcontractors, cloud platforms, hosting providers, software components, support parties, or other dependencies may affect information security.
Register
| ICT product/service | Direct supplier | Business owner | Criticality | Known dependencies | Data/access exposure | Data location | Change notification required | Assurance reviewed | Key risks | Controls/actions | Review date |
|---|---|---|---|---|---|---|---|---|---|---|---|
Review questions
- Who else helps deliver the service?
- Which parties can access organizational data or systems?
- Where is data stored, processed, backed up, or supported from?
- What supplier changes require notification or approval?
- Are security obligations flowed down to relevant subcontractors?
- Has assurance evidence been reviewed for critical dependencies?
- Has the risk assessment been updated after material changes?
Related notes
- Template
- Supplier security
- Ict supply chain
- Risk assessment
- Iso27001
Note Metadata
Aliases: ICT Supplier Dependency Register
Source: 90 Templates/ICT Supply Chain Risk Register.md
Related Notes
- Risk Assessment
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- A.5.21 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.21 Audit Checklist
- Supplier Security Risk Assessment
- Templates MOC