When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this before onboarding or materially changing a supplier relationship, and during periodic supplier review.
Assessment
| Question | Answer | Risk/notes | Action |
|---|---|---|---|
| What information will the supplier access or process? | TBD | TBD | TBD |
| What classification applies? | TBD | TBD | TBD |
| Will the supplier have logical access? | TBD | TBD | TBD |
| Will the supplier have physical access? | TBD | TBD | TBD |
| Is the service business-critical? | TBD | TBD | TBD |
| Are legal, regulatory, or contractual obligations involved? | TBD | TBD | TBD |
| Will subcontractors be used? | TBD | TBD | TBD |
| What assurance evidence is available? | TBD | TBD | TBD |
| What incident notification terms are required? | TBD | TBD | TBD |
| What exit or deletion requirements apply? | TBD | TBD | TBD |
Required controls
- Security requirements included in agreement.
- Access control and identity requirements defined.
- Information transfer requirements defined.
- Confidentiality/NDA terms included.
- Subcontractor requirements included.
- Incident notification included.
- Review/assurance requirements defined.
- Exit, return, deletion, or transition requirements defined.
Related notes
- Template
- Iso27001
- A5 19
- Supplier risk
Note Metadata
Aliases: Supplier Risk Assessment
Source: 90 Templates/Supplier Security Risk Assessment.md
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- A.5.19 Audit Evidence Pack
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- A.5.19 Audit Checklist
- ICT Supply Chain Risk Register
- Supplier Security Agreement Requirements Checklist
- Supplier Security Register
- Templates MOC