When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this as the master security view of suppliers, products, and services that can affect information security.
Register
| Supplier | Product/service | Internal owner | Information exposed | Access type | Security tier | Agreement reference | Subcontractors | Last review | Next review | Issues/actions |
|---|---|---|---|---|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | Physical / Logical / Remote / Data / None | Low / Medium / High | TBD | TBD | TBD | TBD | TBD |
Maintenance checklist
- Supplier owner assigned.
- Information exposure identified.
- Physical/logical access identified.
- Risk tier assigned.
- Contract or agreement reference recorded.
- Subcontractor use recorded.
- Review date defined.
- Supplier changes and incidents trigger review.
Related notes
- Template
- Iso27001
- A5 19
- Supplier security
Note Metadata
Aliases: Master Supplier Security List
Source: 90 Templates/Supplier Security Register.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.29 - Information Security During Disruption
- A.5.19 Audit Evidence Pack
- A.5 Organizational Controls Implementation Guide
- ISO 27002 Annex A Control Interpretation Map
- A.5.19 Audit Checklist
- Cloud Service Register
- Supplier Security Risk Assessment
- Supplier Service Review and Change Log
- Third-Party Information Transfer Agreement Checklist
- Templates MOC