What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.
Evidence to request
| Evidence | Purpose |
|---|---|
| Supplier security policy | Shows principles are defined |
| Supplier security procedure | Shows process is implemented |
| Master supplier list | Shows suppliers are known |
| Supplier risk assessments | Shows supplier risks are assessed |
| Supplier security register | Shows exposure, owner, tier, and agreement data |
| Supplier agreements | Shows requirements are contractual |
| Security questionnaires/assurance evidence | Shows due diligence |
| Supplier access records | Shows access is controlled |
| Subcontractor records | Shows delegated work is managed |
| Supplier review records | Shows ongoing oversight |
| Supplier incident records | Shows supplier issues are handled |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Supplier list includes owner, service, information exposure, access type, risk tier, and agreement reference.
- Supplier risk is assessed before onboarding and reviewed periodically.
- Agreements reflect information sensitivity and service impact.
- High-risk suppliers provide assurance evidence.
- Supplier access is tied to access and identity processes.
- Subcontractor use is known and controlled.
- Supplier changes and incidents trigger review.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Procurement list exists but no security assessment.
- Supplier security handled informally.
- No record of supplier information exposure.
- Security terms missing from contracts.
- Subcontractors unknown.
- Supplier access not reviewed.
- All suppliers receive the same superficial review.
Sample interview questions
- Which suppliers can access sensitive information or systems?
- Who owns each supplier relationship?
- How are supplier risks assessed?
- How are supplier security requirements put into contracts?
- How are subcontractors controlled?
- How often are suppliers reviewed?
- What happens after a supplier security incident?
Common nonconformities
- No supplier security process.
- No master supplier list.
- Supplier owner missing.
- Supplier risk assessments not performed.
- Agreements do not address security.
- Supplier access not governed.
- Subcontractor risk ignored.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 19
Note Metadata
Aliases: A.5.19 Evidence
Source: 04 Audit Evidence Packs/A.5.19 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.