ISO 27001:2022 Annex A Control 5.19: Information Security in Supplier Relationships

Annex A Control 5.19 covers supplier relationship information security, in an effort to protect the valuable organisational assets that are accessible to or affected by suppliers. It also covers partner and client relationships.

Whether completing work you have chosen not to or can’t complete internally, selecting and managing suppliers is a different process for every business. Controls and policies should reflect this, segmenting the supply chain where possible.

What is the purpose of Annex A Control 5.19?

Organisations must consider the level of risk created by their external systems, suppliers, products, and services. Control 5.19 outlines how a strong policy must describe how information assets for suppliers are segmented, selected and managed to mitigate risks. Any broader supplier relationship framework must include information security policies.

Annex 5.19 takes a preventative approach to supplier risk, modifying risk, maintaining procedures and addressing inherent supplier security hurdles.

How to use control 5.19

A topic-specific approach is encouraged by control 5.19 when it comes to supplier information security. Supplier agreements may include suppliers contributing to high value information assets, and as such, there should be a clear agreement in place of how much access is allowed, and what security is required.

Information management is increasingly being outsourced, so supplier staff must be aware of security policies to ensure business compliance. As part of a topic-specific approach, supplier policies must be tailored to specific business functions, rather than being a one-size-fits-all solution.

Implementing policies and procedures is important for governing supplier resources and forming a basis for conducting commercial relationships. These policies and procedures are outlined in control 5.19.

Control 5.19 guidance points

In control 5.19, there are 14 main guidance points that businesses should adhere to with regards to supplier relationships. These are:

1. Maintain a precise record of supplier types that could affect information security integrity.
2. Evaluate suppliers based on the risk associated with their type.
3. Identify suppliers with existing information security controls.
4. Specify which areas of your organisation’s IT infrastructure suppliers can access, monitor or use.
5. Define how suppliers' infrastructures can affect your data and your customers' data.
6. Manage information security risks related to suppliers handling confidential information and using faulty hardware.
7. Monitor information security compliance on specific topics.
8. Minimise damage and disruption caused by non-compliance.
9. Maintain a robust incident management procedure for contingencies.
10. Implement measures to ensure the availability and integrity of supplier information processing.
11. Develop a comprehensive training plan to guide staff on interacting with supplier personnel and information.
12. Manage the risks associated with transferring information and assets between the organisation and suppliers.
13. Ensure the secure termination of supplier relationships, including revoking access rights and data access.
14. Outline expectations for supplier conduct regarding data access.

What are the changes from ISO 27001:2013?

Both ISO 27001:2022 Annex A control 5.19 and ISO27001:2013 Annex A control 15.1.1 broadly cover the same information, but the more recent version has been updated to include additional guidance points that the 2013 version either does not cover at all, or does not cover in detail.

These additional guidance points include:

• Evaluating suppliers according to their type and associated risk level.
• Ensuring the accuracy and reliability of supplier information to safeguard their own data and maintain business continuity.
• The necessary procedures to terminate a supplier relationship, including the revocation of access rights.

The 2022 version also directly acknowledges that supplier relationships can vary greatly, giving business the agency to modify the criteria for specific situations and circumstances.