UnixTime

Research Note

A.5.19 Audit Checklist

Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.

Checklist

  • Supplier security policy or principles exist.
  • Supplier security procedure exists.
  • Master supplier list exists.
  • Supplier owners are assigned.
  • Supplier information exposure is recorded.
  • Supplier physical/logical access is recorded.
  • Supplier risk assessments are performed.
  • Suppliers are risk-tiered.
  • Agreements include security requirements appropriate to exposure.
  • Subcontractor use is controlled.
  • Supplier access is tied to access and identity controls.
  • Supplier assurance or review is performed based on risk.
  • Supplier incidents and changes trigger review.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 19

Note Metadata

Aliases: A.5.19 Checklist

Source: 90 Templates/A.5.19 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.