Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.”
Plain-language meaning
The organization must manage information security risks created by suppliers, supplier products, and supplier services.
This includes suppliers with logical access, physical access, exposure to sensitive information, influence over business-critical decisions, or responsibility for systems, services, facilities, data, or support.
Why this matters
Suppliers can create risk even when they do not directly access systems.
Examples:
- remote support provider with privileged access;
- cloud service hosting customer data;
- cleaning contractor exposed to documents on desks;
- payroll provider processing employee data;
- software product used in a critical process;
- supplier data used for business-critical decisions;
- subcontractor performing part of the service;
- managed service provider with administrative control.
If supplier security is unmanaged, the organization imports risk without clear ownership.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define supplier security policy and procedure
The organization should define:
- which suppliers require security assessment;
- supplier risk tiering;
- required due diligence;
- contract security requirements;
- access approval;
- information transfer rules;
- subcontractor expectations;
- monitoring and review;
- incident notification;
- termination and exit controls.
2. Maintain a master supplier list
The supplier list should identify:
| Field | Purpose |
|---|---|
| Supplier name | Identifies relationship |
| Service/product | Defines dependency |
| Supplier owner | Assigns accountability |
| Information exposed | Shows data risk |
| Access type | Physical, logical, remote, privileged, none |
| Security tier | Prioritizes assessment depth |
| Agreement reference | Links controls to contract |
| Subcontractor use | Shows delegated risk |
| Review date | Supports ongoing management |
3. Assess supplier risks
Supplier risk should consider:
- information classification;
- access to systems or premises;
- business criticality;
- legal and regulatory obligations;
- supplier location;
- subcontractors;
- operational resilience;
- incident history;
- assurance evidence;
- dependency and exit difficulty.
Risk assessment should determine what controls, agreements, monitoring, and reviews are needed.
4. Tailor controls to supplier exposure
Do not apply the same questionnaire to every supplier. That creates paperwork without control.
| Supplier type | Typical controls |
|---|---|
| Low-risk office supplier | Basic confidentiality and conduct terms |
| Supplier exposed to sensitive data | NDA, data handling, access control, incident notification |
| Cloud/SaaS provider | Security assurance, data location, backup, availability, exit terms |
| Managed service provider | Privileged access, logging, MFA, change control, monitoring |
| Physical service provider | Visitor control, clean desk expectations, escorted access |
5. Address subcontractors
Suppliers may delegate work to other parties. The organization should know when this is allowed and what security requirements flow down.
Contracts should address:
- approval of subcontractors;
- equivalent security obligations;
- incident reporting;
- audit/assurance rights;
- data location and transfer;
- exit and deletion.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that supplier security is governed by policy, risk assessment, master supplier list, procedures, agreements, and periodic review.
Audit tests:
- request the master supplier list;
- sample suppliers by risk tier;
- verify supplier owner assignment;
- check supplier risk assessments;
- check agreements against exposure;
- verify information classification and access type;
- confirm subcontractor controls;
- check whether supplier reviews are performed;
- verify supplier incidents or changes are managed.
The auditor should reject a supplier process that only checks procurement cost and ignores security exposure.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Supplier security policy | Principles are defined |
| Supplier security procedure | Process is implemented |
| Master supplier list | Suppliers are known and owned |
| Supplier risk assessments | Risks are identified and evaluated |
| Supplier agreements | Requirements are contractually defined |
| Security questionnaires/assurance | Due diligence is performed |
| Access records | Supplier access is controlled |
| Subcontractor records | Delegated activities are managed |
| Supplier review records | Ongoing oversight exists |
| Supplier incident records | Supplier issues are handled |
Strong evidence
- Supplier list includes service, owner, access type, information exposure, risk tier, and agreement reference.
- Supplier risks are assessed before onboarding and reviewed periodically.
- Agreements match the sensitivity and access involved.
- Subcontractor use is controlled.
- High-risk suppliers provide assurance evidence.
- Supplier access is tied to access control and identity processes.
- Supplier changes and incidents trigger review.
Weak evidence
- Procurement list exists but no security tiering.
- Supplier security depends on informal trust.
- No record of information exposed to suppliers.
- Contracts lack security requirements.
- Subcontractors are unknown.
- Supplier access is not reviewed.
- All suppliers complete the same superficial questionnaire.
- Supplier-generated business-critical information is not considered.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| No master supplier list | Unknown supplier risk |
| Supplier owner not assigned | No accountable internal party |
| No risk tiering | Effort is wasted on low risk and missed on high risk |
| Contracts missing security terms | Requirements are unenforceable |
| Subcontractors ignored | Risk is pushed one layer away |
| Supplier access not connected to access control | Third-party access persists |
| Physical exposure ignored | Non-technical suppliers can still see sensitive information |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Supplier risk is not only logical system access.
- Suppliers can create risk through physical access, sensitive information exposure, products, services, or decision-support information.
- A procurement/vendor list is not enough; security exposure and risk tiering matter.
- Supplier procedures should consider subcontractors.
- Supplier controls should be proportional to information sensitivity and service impact.
- Supplier security must be implemented, not only written in a policy.
Related controls and concepts
- Risk Assessment
- Statement of Applicability
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.9 Inventory of Information and Other Associated Assets
- Information Transfer Rules Matrix
- Internal Audit
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.19 requires defined and implemented processes to manage supplier information security risks. A practical supplier security process includes a master supplier list, supplier owners, risk assessments, risk tiering, contractual controls, subcontractor controls, access control, and periodic review.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Supplier security
- Third parties
- Risk assessment
- Audit
Note Metadata
Aliases: A.5.19, Information Security in Supplier Relationships
Source: 02 Annex A Organizational Controls/A.5.19 Information Security in Supplier Relationships.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- A.5.19 Audit Evidence Pack
- AQ-ISO27001-A.5.19 Information Security in Supplier Relationships
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.19 Information Security in Supplier Relationships
- A.5 Controls Implementation Audit Risk Mapping
- GDPR to ISO 27001 Engineering Crosswalk
- EXAM-008 - Supplier and Cloud Control Distinctions
- ISO 27002 Annex A Control Interpretation Map
- A.5.19 Audit Checklist
- Information Transfer Rules Matrix
- Supplier Security Agreement Requirements Checklist
- Supplier Security Register
- Supplier Security Responsibility Matrix
- Supplier Security Risk Assessment
- Third-Party Information Transfer Agreement Checklist
- Annex A Controls MOC