Skip to content
AuditFront
A.5.19 ISO 27001

ISO 27001 A.5.19: Information security in supplier relationships

What This Control Requires

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products or services.

In Plain Language

Your security is only as strong as your weakest supplier. If a third party has access to your data or systems and they get breached, that is your problem too - your customers will not care that it was a vendor's fault. This control covers the entire supplier relationship lifecycle: assessing risk before you engage them, putting proper security requirements in contracts, monitoring their security posture over time, and handling data return and access revocation when the relationship ends. The scope is broader than most people assume. It is not just your cloud provider and your managed services partner. It includes any third party that could affect the confidentiality, integrity, or availability of your information - software vendors, facilities management companies, even suppliers with physical access to your offices.

How to Implement

Build a supplier security management framework covering the full lifecycle. Start with a supplier register that categorises suppliers by the sensitivity of data they touch and the criticality of services they provide. Assess supplier risk before engaging. Use security questionnaires, review certifications (ISO 27001, SOC 2), and for high-risk suppliers, consider on-site audits. Scale the depth of assessment to the risk - a supplier handling confidential customer data gets a thorough review, a stationery supplier just needs basic due diligence. Get the right security clauses into contracts. Cover: specific security controls the supplier must maintain, right to audit (or receive audit reports), incident notification requirements with defined timeframes, data handling and protection obligations, rules around sub-contractors, data return and secure deletion at termination, and liability for security breaches. Monitor ongoing supplier risk proportionate to their criticality. For key suppliers, review SOC 2 reports or ISO 27001 certificates regularly, run periodic assessments, track their incident history, and review security-related SLAs. Consider a third-party risk management platform if you have many suppliers to track. Handle offboarding properly. When a supplier relationship ends, get your data back or confirm secure destruction, revoke all system access, change any shared credentials, and document everything with written confirmation from the supplier.

Evidence Your Auditor Will Request

  • Supplier security management policy and procedures
  • Supplier register with risk classifications
  • Supplier security assessments and due diligence records
  • Contracts with security clauses for key suppliers
  • Ongoing monitoring records such as SOC 2 report reviews and audit results

Common Mistakes

  • No formal supplier security assessment process before engaging new suppliers
  • Contracts lack specific information security requirements and right to audit clauses
  • Supplier security is assessed at onboarding but never reviewed again
  • Shadow IT means suppliers are engaged without the security team's knowledge
  • No process for managing supplier offboarding and data return

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC9.2 Equivalent
GDPR Art.28 Related
GDPR Art.32 Partial overlap
NIS2 Art.21(2)(e) Equivalent

Frequently Asked Questions

How should we assess supplier security risk?
Take a risk-based approach. Categorise suppliers by data sensitivity and service criticality. High-risk suppliers should complete detailed questionnaires (SIG or CAIQ), provide certifications or audit reports (SOC 2, ISO 27001), and may need on-site assessments. Medium-risk ones need questionnaires and certification review. Low-risk suppliers can get by with basic due diligence. The key is proportionality - do not burn weeks assessing a supplier who only delivers office furniture.
What should we do if a critical supplier refuses a security audit?
This is common with large cloud and SaaS providers - they will not let every customer run their own audit, and frankly it would not scale. Accept industry-standard certifications instead: SOC 2 Type II reports, ISO 27001 certificates with the statement of applicability. Request their latest reports and actually read them - look for relevant controls and any exceptions. Still include right-to-audit clauses in contracts, even if you exercise that right through third-party certifications. If a supplier refuses any form of security assurance, that is a serious red flag and you should reconsider the relationship.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment