Skip to main content
← All controls
SR-2 / SR-3 / A.15.1.1 NIST SP 800-161 Rev 1

Do you assess and manage concentration risk (multiple critical functions in one vendor or one vendor's sub-processor)?

Demonstrate that the organization systematically identifies vendor concentration scenarios, assesses the risk of consolidating critical functions with single providers or their sub-processors, and implements appropriate risk treatment measures including diversification, enhanced due diligence, or compensating controls.

Description

What this control does

This control requires organizations to identify, assess, and actively manage concentration risk arising from vendor relationships, particularly when multiple critical business functions or sensitive data processes depend on a single vendor or its sub-processors. Organizations must inventory all vendor dependencies, classify functions by criticality, map which vendors support each function, and analyze the impact of vendor failure or compromise. Management activities include establishing risk thresholds for concentration, implementing diversification strategies where feasible, and maintaining enhanced contingency plans for high-concentration scenarios.

Control objective

What auditing this proves

Demonstrate that the organization systematically identifies vendor concentration scenarios, assesses the risk of consolidating critical functions with single providers or their sub-processors, and implements appropriate risk treatment measures including diversification, enhanced due diligence, or compensating controls.

Associated risks

Risks this control addresses

  • Single vendor failure or service disruption cascades across multiple critical business functions simultaneously, exceeding recovery capacity
  • Compromise of one vendor's infrastructure grants attacker access to multiple sensitive systems or data repositories through shared infrastructure or credentials
  • Vendor bankruptcy, acquisition, or policy change impacts multiple critical services concurrently without adequate transition time
  • Sub-processor security incident at a vendor's backend provider affects multiple direct vendor relationships unknowingly, bypassing individual vendor assessments
  • Regulatory action, geographic disruption, or geopolitical sanction against one vendor simultaneously disables multiple critical capabilities
  • Lack of negotiating leverage or exit optionality due to deep integration across multiple functions creates vendor lock-in exploitation risk
  • Insufficient contingency resources to address simultaneous failures across multiple functions dependent on concentrated vendor relationships

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's complete vendor inventory and identify which vendors are documented as supporting multiple critical business functions or processing multiple data classifications
  2. Review the organization's methodology and criteria for identifying concentration risk, including definitions of 'critical function' and thresholds for unacceptable concentration
  3. Select a sample of 5-7 vendors supporting critical functions and trace whether sub-processor relationships are documented, including which sub-processors support multiple primary vendors
  4. Examine concentration risk assessments for sampled vendors to verify they include likelihood and impact analysis of simultaneous multi-function failure scenarios
  5. Review risk treatment decisions for identified concentration scenarios, verifying documentation of acceptance rationale, diversification plans, or enhanced controls
  6. Validate that business continuity and disaster recovery plans account for concentration risk scenarios by examining tabletop exercise records or recovery runbooks that address multi-function vendor loss
  7. Interview vendor management and procurement personnel to confirm awareness of current concentration levels and verify adherence to documented risk thresholds in new vendor selection decisions
  8. Test whether monitoring mechanisms exist to detect changes in concentration (new functions added to existing vendors, vendor M&A activity, sub-processor changes) by reviewing alerting configurations or periodic review schedules
Evidence required Auditor collects vendor inventory with critical function mappings, concentration risk assessment reports identifying multi-function vendors and sub-processor dependencies, risk registers showing concentration risk treatment decisions with dates and approvers, vendor due diligence files for high-concentration providers showing enhanced scrutiny, business continuity plans with concentration failure scenarios, and vendor review meeting minutes or governance committee records discussing concentration thresholds.
Pass criteria The organization maintains a current inventory mapping vendors to critical functions, has documented and applied concentration risk assessment criteria identifying scenarios where multiple critical functions depend on single vendors or sub-processors, and has implemented risk-appropriate treatment measures with evidence of ongoing monitoring for concentration changes.