top of page
Security Assessment Morse.png

Security Improvement in Action 


Security Health Check

Control Weakness Identified

Tear Away_edited.png

Example: Third-Party Supplier Management


High-Level Domain Risk Description – The risk that an attacker could compromise services provided by a third-party supplier due to the supplier having inadequate security controls in place, resulting in data disclosure, corruption, or service interruption.

In the example below, we use a single security domain from the Risk Reduction Equaliser to demonstrate our improvement approach.

Health Check.png
Define 2.png


Based on the control weaknesses identified in the Security Health Check, a detailed risk description is documented and then scored using a risk matrix.

Risk Description.png

No inventory of suppliers

No profiling to inform

inherent risk

Assurance reviews not 


Based on weaknesses risk assessed at:


  • Probability Likely

  • Impact High

Risk Matrix.png

Security Improvement Plan (SIP)

This consists of three core components to inform your approach:

  1. Activities

  2. Cost

  3. Priority

Extract from Risk Reduction Equaliser

Improvement Plan.png

Establish supplier inventory detailing what they do and how they access data.

Calculate suppliers’ inherent risk ‘score’ based on the  risk they pose.

Conduct regular security assurance activity based on suppliers’ inherent risk. 


This depicts the Third-Party Supplier Management domain in our Risk Reduction Equaliser. It summarises the current risk position together with proposed financial investment and the corresponding risk-reduction aims.



Turning a plan into action brings its own challenges, but we can help you succeed:

Security Consultancy

Bespoke support, from stakeholder management to technical advice.

Security Concultancy Logo.png
Security Resources.png

Security Resources 

Access our industry-leading network of security practitioners.

Security Assessment Morse.png

View Our

Case Studies

Health Check Logo.png
bottom of page