When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this when a supplier relationship has shared security responsibilities and the contract needs a clear split between the organization, the supplier, and any shared control areas.
Responsibility matrix
| Control area | Organization responsibility | Supplier responsibility | Shared responsibility | Evidence location | Notes |
|---|---|---|---|---|---|
| Access approval | |||||
| Account provisioning | |||||
| Privileged access | |||||
| MFA/authentication | |||||
| Logging and monitoring | |||||
| Incident notification | |||||
| Vulnerability management | |||||
| Backup and recovery | |||||
| Data retention/deletion | |||||
| Subcontractor management | |||||
| Service change notification | |||||
| Exit support |
Related notes
- Template
- Supplier security
- Contracts
- Iso27001
Note Metadata
Aliases: Supplier Control Responsibility Matrix
Source: 90 Templates/Supplier Security Responsibility Matrix.md
Related Notes
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- A.5.20 Audit Evidence Pack
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- A.5.20 Audit Checklist
- Templates MOC