ISO 27001 Annex A Control 5.19

ISO 27001 control 5.19 Information security in supplier relationships

The basics

ISO 27001 control A.5.19 Information security in supplier relationships requires companies to manage risks related to suppliers’ products and/or services, in order to plan how to protect the information that is shared with them.

Documentation

ISO 27001 control A.5.19 Information security in supplier relationships can be documented:

  • For smaller and mid-size companies – by writing a Supplier Security Policy
  • For larger companies – by writing a Procedure for Managing Supplier Security Risks

These documents are not mandatory but are recommended.

Implementation

In order to comply with control A.5.19 Information security in supplier relationships you might implement the following:

  • Technology — the technology to enable information security in supplier relationships in most cases will be already available in the company. Companies of all sizes will probably be able to manage information security risks associated with suppliers by using the same tools and systems adopted to manage their own information security risks (e.g., spreadsheets or dedicated risk management software).
  • Organization/processes — you should set up a process for assessing, evaluating, and treating risks related to suppliers. Most probably you will be able to use as a basis the same processes and procedures for managing your own information security risks, with minor adjustments. You can document those processes through a Supplier Security Policy, or Procedure for Managing Supplier Security Risks.
  • People — make employees aware of why managing information security risks related to suppliers is needed, and train them on how to assess, evaluate, and treat risks related to their suppliers.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.19 Information security in supplier relationships: if information risks related to third-party products and services are managed.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.