Information Security in Supplier Relationships - ISO 27001 Annex A Control

ISO 27001 Annex A 5.19

Suppliers handle your information - the risk does not stop at the supplier door.

ISO 27001 Annex A 5.19 - Information Security in Supplier Relationships

Suppliers are an extension of the organisation's information security boundary. Anyone who can access, store, transmit or process the organisation's information becomes part of the risk picture. This control is the policy and process layer that defines how supplier-related risk is managed across the lifecycle of a supplier relationship.

The process needs to start before contracts are signed. Suppliers who will handle sensitive information should be assessed during selection - what information will they have access to, what controls do they have in place, what evidence of those controls do they provide. Higher-risk suppliers may need a more detailed security review.

Once the supplier is engaged, the relationship needs ongoing oversight. Periodic review confirms the security position is still adequate and any changes in the supplier's services or controls are picked up. The depth and frequency of review scale with the risk - critical suppliers handling confidential information get more attention than low-risk suppliers handling generic services.

I look at three things on supplier security. The selection process - was security part of the appraisal before contract signing. The contract or agreement - does it include the right security clauses, including the right to audit if needed. The ongoing relationship - is the supplier reviewed on the right cycle, and have any issues been picked up and addressed.

Practical Compliance Guidance

Supplier information security is described in the IMS1 Manual in section 8.2 on information security arrangements. The supplier register and supplier appraisal forms support the practical implementation.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-Q9 Supplier Contractor Appraisal	The appraisal form used to assess suppliers including their information security position. Use during selection and as part of ongoing review.
ER3 Key Supplier Contractor Register	A simple register for logging details of Key Suppliers or Sub-Contractors (defined as suppliers where the product / service supplied could impact on the quality of our own product / service provision) including details of any information security credentials held.
P-37 Supplier Security Policy	The Supplier Security Policy states the company's policy on appraising, monitoring and reviewing suppliers who can provide, access, store or communicate with the company's IT infrastructure components.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do all suppliers need full information security review?

No. The depth of review should be proportionate to the risk. Suppliers who never handle sensitive information may need only basic checks. Suppliers handling personal data, confidential commercial information or providing critical services need a deeper review including evidence of their security arrangements.

What kind of evidence should we ask suppliers for?

For higher-risk suppliers, evidence might include their own ISO 27001 certificate, SOC 2 reports, Cyber Essentials certification, or completion of a security questionnaire. The evidence required scales with the risk - more critical relationships warrant stronger evidence.

How is this control different from A.5.20 supplier agreements?

A.5.19 is the overall management of supplier relationships including selection, appraisal and ongoing oversight. A.5.20 is specifically about the contractual arrangements - making sure agreements with suppliers include appropriate information security clauses. The two work together but address different layers.

Further Resources