ISO 27001 A.5.19: Information security in supplier relationships
What This Control Requires
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products or services.
In Plain Language
Your security is only as strong as your weakest supplier. If a third party has access to your data or systems and they get breached, that is your problem too - your customers will not care that it was a vendor's fault.
This control covers the entire supplier relationship lifecycle: assessing risk before you engage them, putting proper security requirements in contracts, monitoring their security posture over time, and handling data return and access revocation when the relationship ends.
The scope is broader than most people assume. It is not just your cloud provider and your managed services partner. It includes any third party that could affect the confidentiality, integrity, or availability of your information - software vendors, facilities management companies, even suppliers with physical access to your offices.
How to Implement
Build a supplier security management framework covering the full lifecycle. Start with a supplier register that categorises suppliers by the sensitivity of data they touch and the criticality of services they provide.
Assess supplier risk before engaging. Use security questionnaires, review certifications (ISO 27001, SOC 2), and for high-risk suppliers, consider on-site audits. Scale the depth of assessment to the risk - a supplier handling confidential customer data gets a thorough review, a stationery supplier just needs basic due diligence.
Get the right security clauses into contracts. Cover: specific security controls the supplier must maintain, right to audit (or receive audit reports), incident notification requirements with defined timeframes, data handling and protection obligations, rules around sub-contractors, data return and secure deletion at termination, and liability for security breaches.
Monitor ongoing supplier risk proportionate to their criticality. For key suppliers, review SOC 2 reports or ISO 27001 certificates regularly, run periodic assessments, track their incident history, and review security-related SLAs. Consider a third-party risk management platform if you have many suppliers to track.
Handle offboarding properly. When a supplier relationship ends, get your data back or confirm secure destruction, revoke all system access, change any shared credentials, and document everything with written confirmation from the supplier.
Evidence Your Auditor Will Request
- Supplier security management policy and procedures
- Supplier register with risk classifications
- Supplier security assessments and due diligence records
- Contracts with security clauses for key suppliers
- Ongoing monitoring records such as SOC 2 report reviews and audit results
Common Mistakes
- No formal supplier security assessment process before engaging new suppliers
- Contracts lack specific information security requirements and right to audit clauses
- Supplier security is assessed at onboarding but never reviewed again
- Shadow IT means suppliers are engaged without the security team's knowledge
- No process for managing supplier offboarding and data return
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC9.2 | Equivalent |
| GDPR | Art.28 | Related |
| GDPR | Art.32 | Partial overlap |
| NIS2 | Art.21(2)(e) | Equivalent |
Frequently Asked Questions
How should we assess supplier security risk?
What should we do if a critical supplier refuses a security audit?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment