Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog . This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.

Yesterday, someone sought guidance from the ISO27k Forum on categorising vendors by risk. Here's my coffee-fueled early-morning response, lightly edited for this blog. Risk assessment criteria In the context of an ISO 27001   I nformation S ecurity M anagement S ystem, information risk in the upstream supply chain/network, viewed from the customer organisation's business perspective, is the primary concern in relation to vendors.  Breaking that down, the kinds of factors that may affect the information risk levels include: