Exam focus
Supplier controls are related but not interchangeable. Read the question for lifecycle stage: relationship, agreement, ICT supply chain, monitoring, or cloud.
Topic Summary
Supplier and cloud controls overlap in practice, but the exam often tests the distinction between supplier risk management, contractual requirements, supply chain dependencies, ongoing monitoring, and cloud-specific governance.
Key Concepts
- A.5.19: manage supplier relationship security risk.
- A.5.20: put security requirements into agreements.
- A.5.21: manage ICT supply chain dependencies.
- A.5.22: monitor and manage supplier service changes.
- A.5.23: govern cloud acquisition, use, management, and exit.
Common Exam Traps
- Treating onboarding as enough.
- Ignoring subcontractors and cloud shared responsibility.
- Treating provider certification as proof customer configuration is secure.
Related Notes
- A.5.19 Information Security in Supplier Relationships
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.21 Managing Information Security in the ICT Supply Chain
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- A.5.23 Information Security for Use of Cloud Services
- Iso27001
- Exam
Note Metadata
Source: 09-Exam-Preparation/EXAM-008-Supplier-Cloud-Control-Distinctions.md
Related Notes
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services