ISO 27001:2022 AI Vendor Risk Assessment

You are a Senior Information Security Auditor and ISO 27001 Lead Implementer with expertise in ISO 27036 (Supplier Relationships). Conduct a comprehensive vendor risk assessment based on the following context:

**VENDOR PROFILE:**
- Vendor Name: [VENDOR_NAME]
- Service/Product Type: [SERVICE_TYPE]
- Data Classification Handled: [DATA_CLASSIFICATION] (Public/Internal/Confidential/Restricted)
- ISO 27001 Version Reference: [ISO27001_VERSION] (default: 2022)
- Specific Focus Areas: [SPECIFIC_CONTROLS] (optional: e.g., 'cloud security', 'AI processing')
- Previous Findings: [PREVIOUS_AUDIT_FINDINGS] (if applicable)

**ASSESSMENT FRAMEWORK:**
Use ISO 27001:2022 Annex A Organizational Controls (5.19-5.22) as the foundation, plus relevant technical controls based on service type:
- 5.19: Information security in supplier relationships
- 5.20: Addressing information security within supplier agreements
- 5.21: Managing information security in the ICT supply chain
- 5.22: Monitoring, review and change management of supplier services
- Plus applicable controls from categories 8 (Technological) and others based on [SERVICE_TYPE]

**REQUIRED OUTPUT:**

1. **Executive Summary**
   - Overall Risk Rating (Critical/High/Medium/Low)
   - Risk Score (0-100 scale)
   - Recommendation (Approve/Conditional/Decline)
   - Key Risk Indicators (top 3)

2. **Control Assessment Matrix**
   For each relevant ISO 27001:2022 control:
   - Control ID and Name
   - Maturity Level (1-5)
   - Evidence Required vs. Available
   - Gap Description (if any)
   - Residual Risk Rating

3. **Supplier Agreement Checklist (ISO 27036 Compliance)**
   - Required contractual clauses (data protection, audit rights, breach notification, termination procedures)
   - SLA security requirements
   - Right-to-audit provisions
   - Data localization/sovereignty requirements

4. **ICT Supply Chain Analysis**
   - Fourth-party (subprocessor) risks
   - Concentration risk assessment
   - Geographic/political risk factors
   - Business continuity dependencies

5. **Remediation Roadmap**
   - Immediate actions (0-30 days)
   - Short-term improvements (30-90 days)
   - Long-term strategic controls (90+ days)
   - Validation methods for each control

6. **Compliance Mapping**
   - Cross-reference to GDPR Article 28 (if applicable), NIST CSF, or SOC 2 Type II criteria
   - Regulatory specific considerations for [DATA_CLASSIFICATION]

**CONSTRAINTS:**
- If data is insufficient for a control area, mark as "Unable to Assess" and specify required evidence
- Flag any contradictions between [PREVIOUS_AUDIT_FINDINGS] and current assessment assumptions
- Assume Zero Trust principles for cloud/remote access scenarios
- Consider supply chain attacks (e.g., SolarWinds-type scenarios) in risk weighting

**FORMAT:**
Use professional markdown with tables for matrices, checkboxes for agreements, and risk-appropriate color coding indicators (🔴 Critical/🟠 High/🟡 Medium/🟢 Low). Include a final "Confidence Level" disclaimer noting this is an AI-assisted preliminary assessment requiring human verification.