UnixTime

Research Note

Supplier Security Risk Assessment

Use this before onboarding or materially changing a supplier relationship, and during periodic supplier review.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this before onboarding or materially changing a supplier relationship, and during periodic supplier review.

Assessment

Question Answer Risk/notes Action
What information will the supplier access or process? TBD TBD TBD
What classification applies? TBD TBD TBD
Will the supplier have logical access? TBD TBD TBD
Will the supplier have physical access? TBD TBD TBD
Is the service business-critical? TBD TBD TBD
Are legal, regulatory, or contractual obligations involved? TBD TBD TBD
Will subcontractors be used? TBD TBD TBD
What assurance evidence is available? TBD TBD TBD
What incident notification terms are required? TBD TBD TBD
What exit or deletion requirements apply? TBD TBD TBD

Required controls

  • Security requirements included in agreement.
  • Access control and identity requirements defined.
  • Information transfer requirements defined.
  • Confidentiality/NDA terms included.
  • Subcontractor requirements included.
  • Incident notification included.
  • Review/assurance requirements defined.
  • Exit, return, deletion, or transition requirements defined.