ISO 27001:2022 Annex A Control 5.19

Information Security in Supplier Relationships

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

ISO 27001:2022 Annex A Control 5.19 is about information security in supplier relationships. The objective here is protection of the organisation’s valuable assets that are accessible to or affected by suppliers.

We also recommend that you also consider other key relationships here too, for example partners if they are not suppliers but also have an impact on your assets that might not simply be covered by a contract alone.

This is an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

Suppliers are used for two main reasons; one: you want them to do work that you have chosen not to do internally yourself, or; two: you can’t easily do the work as well or as cost effectively as the suppliers.

There are many important things to consider in approach to supplier selection and management but one size does not fit all and some suppliers will be more important than others.  As such your controls and policies should reflect that too and a segmentation of the supply chain is sensible; we advocate four categories of supplier based on the value and risk in the relationship. These range from those who are business critical through to other vendors who have no material impact on your organisation.

Purpose of ISO 27001:2022 Annex A 5.19

ISO 27001:2002 Annex A Control 5.19 concerns itself with an organisation’s obligation to ensure that, when using supplier-side products and services (including cloud service providers), adequate consideration is given to the level of risk inherent in using external systems, and the consequential impact that may have on their own information security adherence.

A good policy describes the supplier segmentation, selection, management, exit, how information assets around suppliers are controlled in order to mitigate the associated risks, yet still enable the business goals and objectives to be achieved. Smart organisations will wrap their information security policy for suppliers into a broader relationship framework and avoid just concentrating on security per se, looking to the other aspects as well.

Annex A Control 5.19 is a preventative control that modifies risk by maintaining procedures that address inherent security risks associated with the use of products and services provided by third parties.

Who Has Ownership of Annex A 5.19?

Whilst Control ISO 27001 Annex A 5.19 contains a lot of guidance on the use of ICT services, the broader scope of the control encompasses many other aspects of an organisation’s relationship with its supplier base, including supplier types, logistics, utilities, financial services and infrastructure components).

As such, ownership of Annex A Control 5.19 should rest with a member of senior management that oversees an organisation’s commercial operation, and maintains a direct relationship with an organisation’s suppliers, such as a Chief Operating Officer.

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

General Guidance on ISO 27001:2022 Annex A 5.19

Compliance with Annex A Control 5.19 involves adhering to what’s known as a ‘topic-specific’ approach to information security in supplier relationships.

An organisation may want suppliers to access and contribute to certain high value information assets (e.g. software code development, accounting payroll information). They would therefore need to have clear agreements of exactly what access they are allowing them, so they can control the security around it.

This is especially important with more and more information management, processing and technology services being outsourced.  That means having a place to show management of the relationship is happening; contracts, contacts, incidents, relationship activity and risk management etc. Where the supplier is also intimately involved in the organisation, but may not have its own certified ISMS, then ensuring the supplier staff are educated and aware of security, trained on your policies etc is also worth demonstrating compliance around.

Topic-specific approaches encourage organisations to create supplier-related policies that are tailored towards individual business functions, rather than adhering to a blanket supplier management policy that applies to any and all third party relationships across an organisation’s commercial operation.

It’s important to note that ISO 27001 Annex A Control 5.19 asks the organisation to implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship.

As such, Annex A Control 5.19 can be viewed as the essential qualifying document that dictates how information security governance is handled over the course of a supplier contract.

ISO 27001 Annex A Control 5.19 contains 14 main guidance points to be adhered to:

1) Maintain an accurate record of supplier types (e.g. financial services, ICT hardware, telephony) that have the potential to affect information security integrity.

Compliance – Draft a list of any and all suppliers that your organisation works with, categorise them according to their business function and add categories to said supplier types as and when required.

2) Understand how to vet suppliers, based on the level of risk inherent for their supplier type.

Compliance – Different supplier types will require different due diligence checks. Consider using vetting methods on a supplier-by-supplier basis (e.g. industry references, financial statements, onsite assessments, sector-specific certifications such as Microsoft Partnerships).

3) Identify suppliers that have pre-existing information security controls in place.

Compliance – Ask to see copies of suppliers’ relevant information security governance procedures, in order to evaluate the risk to your own organisation. If they don’t have any, it’s not a good sign.

4) Identify and define the specific areas of your organisation’s ICT infrastructure that your suppliers will be able to either access, monitor or make use of themselves.

Compliance – It’s important to establish from the outset precisely how your suppliers are going to interact with your ICT assets – be they physical or virtual – and what levels of access they’re granted in accordance with their contractual obligations.

5) Define how the suppliers’ own ICT infrastructure can impact upon your own data, and that of your customers.

Compliance – An organisation’s first obligation is to its own set of information security standards. Supplier ICT assets need to be reviewed in accordance with their potential to affect up-time and integrity throughout your organisation.

6) Identify and manage the various information security risks attached to:

a. Supplier use of confidential information or protected assets (e.g. limited to malicious use and/or criminal intent).

b. Faulty supplier hardware or malfunctioning software platform associated with on-premise or cloud based services.

Compliance – Organisations need to be continually mindful of the information security risks associated with catastrophic events, such as nefarious supplier-side user activity or major unforeseen software incidents, and their impact on organisational information security.

7) Monitor information security compliance on a topic specific or supplier type basis.

Compliance – Organisation’s need to appreciate the information security implications inherent within each supplier type, and adjust their monitoring activity to accommodate varying levels of risk.

8) Limit the amount of damage and/or disruption caused through non-compliance.

Compliance – Supplier activity should be monitored in an appropriate manner, and to varying degrees, in accordance with its risk level. Where non-compliance is discovered, either proactively or re-actively, immediate action should be taken.

9) Maintain a robust incident management procedure that addresses a reasonable amount of contingencies.

Compliance – Organisations should understand precisely how to react when faced with a broad range of events relating to the supply of third party products and services, and outline remedial actions that include both the supplier and the organisation.

10) Enact measures that cater to the availability and processing of the supplier’s information, wherever it’s used, thereby ensuring the integrity of the organisation’s own information.

Compliance – Steps should be taken to ensure that supplier systems and data are handled in a way that doesn’t compromise on the availability and security of the organisation’s own systems and information.

11) Draft a thorough training plan that offers guidance on how staff should interact with supplier personnel and information on a supplier-by-supplier basis, or on a type-by-type basis.

Compliance – Training should cover the full spectrum of governance between an organisation and its suppliers, including engagement, granular risk management controls and topic-specific procedures.

12) Understand and manage the level of risk inherent when transferring information and physical and virtual assets between the organisation and their suppliers.

Compliance – Organisations should map out each stage of the transfer process and educate staff as to the risks associated with moving assets and information from one source to another.

13) Ensure that supplier relationships are terminated with information security in mind, including removing access rights and the ability to access organisational information.

Compliance – Your ICT teams should have a clear understanding of how to revoke a supplier’s access to information, including:

  • Granular analysis of any associated domain and/or cloud-based accounts.
  • Distribution of intellectual property.
  • The porting of information between suppliers, or back to your organisation.
  • Records management.
  • Returning assets to their original owner.
  • Adequate disposal of physical and virtual assets, including information.
  • Adherence to any contractual requirements, including confidentiality clauses and/or external agreements.

14) Outline precisely how you expect the supplier to conduct themselves regarding physical and virtual security measures.

Compliance – Organisations should set clear expectations from the outset of any commercial relationship, that specify how supplier-side personnel are expected to conduct themselves when interacting with your staff or any relevant assets.

Supplementary Guidance on Annex A 5.19

ISO acknowledges that it’s not always possible to impose a full set of policies on a supplier that meet each and every requirement from the above list as ISO 27001 Annex A Control 5.19 intends, especially when dealing with rigid public sector organisations.

That being said, Annex A Control 5.19 clearly states that organisations should use the above guidance when forming relationships with suppliers, and consider non-adherence on a case-by-case basis.

Where full compliance isn’t achievable, Annex A Control 5.19 gives organisations leeway by recommending “compensating controls” that achieve adequate levels of risk management, based on an organisation’s unique circumstances.

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A 5.19 replaces ISO 27001:2013 Annex A 15.1.1 (Information security policy for supplier relationships).

ISO 27001:2022 Annex A 5.19 broadly adheres to the same underlying concepts contained in the 2013 control, but does contain several additional guidance areas that are either omitted from ISO 27001:2013 Annex A 5.1.1, or at the very least not covered in as much detail, including:

  • The vetting of suppliers based on their supplier type and risk level.
  • The need to ensure the integrity of supplier information in order to secure their own data, and ensure business continuity.
  • The various steps required when ending a supplier relationship, including the decommissioning of access rights, IP distribution, contractual agreements etc.

ISO 27001:2022 Annex A 5.19 is also explicit in acknowledging the highly variable nature of supplier relationships (based on type, sector and risk level), and gives organisations a certain degree of leeway when considering the possibility of non-compliance of any given guidance point, based on the nature of the relationship (see ‘Supplementary Guidance’ above).

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How Does ISMS.online Help With Supplier Relationships?

ISMS.online has made this control objective very easy by providing evidence that your relationships are carefully elected, managed well in life including being monitored and reviewed. Our easy-to-use Accounts relationships (e.g. supplier) area does just that.  The collaborative projects work spaces is great for important supplier on-boarding, joint initiatives, off-boarding etc all of which the auditor can also view with ease when required.

ISMS.online has also made this control objective easier for your organisation by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood its responsibilities for information security through our Policy Packs. Policy Packs are ideal where the organisation has specific policies & controls it wants supplier staff to follow and take confidence they have read them and committed to comply – beyond the broader agreements between customer and supplier.

Depending on the nature of the change (i.e. for more material changes) there may be a broader requirement to align with A.6.1.5 information Security in Project Management.

Using ISMS.online You Can:

  • Quickly implement an Information Security Management System (ISMS).
  • Easily manage the documentation of your ISMS.
  • Streamline compliance with all relevant standards.
  • Manage all aspects of information security, from risk management to security awareness training.
  • Effectively communicate throughout your organisation using our built-in communication functionality.

Get in touch today to book a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Streamline your workflow with our new Jira integration! Learn more here.