How should teams handle Risk Tiers under ISO/IEC 27036?
Start with the operational decision: define what Risk Tiers means in your ISO/IEC 27036 scope, who owns it, and what record proves the decision is current. Under NIST SP 800-30, risk is typically a function of likelihood and impact, so a practical tiering model should sort suppliers, services, or scenarios by those two factors and by the business context that makes them more or less important.
For risk work, separate the model from the result: risk criteria, scenario assumptions, likelihood rationale, impact rationale, existing controls, treatment choice, residual risk, and acceptance authority. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review. Use a lower tier for low-likelihood, low-impact, well-controlled relationships; use a higher tier when the supplier, service, data flow, or dependency can create greater business impact, wider exposure, or more difficult recovery.
- Name the accountable owner and reviewer for Risk Tiers.
- Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
- Escalate when Risk Tiers changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Supports the Risk Tiers guidance by framing ISO/IEC 27036 supplier-relationship security concepts used to classify supplier risk and governance depth.
Grounds the practical distinction between tiers in likelihood and impact, and in repeated review as risk conditions change.