Skip to contentCYBERINFO
OrganizationalControl 5.19

Information Security in Supplier Relationships

Summary

Processes and agreed requirements should be defined and implemented to mitigate the risks associated with the supplier's access to the organization's assets. This ensures that your security posture is not compromised by a weak link in your supply chain.

Applicability

In-Scope: Essential for any organization using SaaS providers (like Microsoft), consultants, or outsourced IT services. It is a key component of vendor risk management and regulatory compliance.

Out-of-Scope: Only potentially reducible if an organization has zero external dependencies, which is not applicable for a cloud-native business.

Implementation Guidance

Microsoft 365 / Entra ID

  • External Identities: Use Entra ID B2B Collaboration to manage guest access, ensuring that suppliers use their own credentials while you maintain control over what they can see.

  • Governance: Utilize Microsoft Purview Compliance Manager to track and review the compliance certifications (like ISO 27001 or SOC 2) of your major vendors.

  • Access Restriction: Apply Cross-Tenant Access Settings to limit which external organizations can collaborate with your users.

Evidence Checklist

  • Supplier Inventory: A list of all third-party suppliers with access to sensitive information or systems.

  • Security Requirements: Standard clauses or security addendums included in supplier contracts.

  • Risk Assessments: Documented reviews of the security posture of critical suppliers conducted prior to onboarding.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization determine the level of security risk associated with a new supplier before a contract is signed?

  • What specific security requirements are mandatorily included in your agreements with third-party service providers?

  • How do you monitor that a supplier is actually adhering to the security obligations defined in their contract?

  • What is the process for revoking a supplier's access once the project or contract has concluded?

Templates for this control

Downloadable ISO 27001:2022 templates relevant to this control. Use them as a starting point for your own documentation.

Third-Party & Supplier Security Policydocx

Establishes security requirements for third-party suppliers who access organizational systems or data.

Download
Supplier Assessment Checklistxlsx

Security evaluation checklist for assessing third-party suppliers during onboarding and periodic review.

Download
Data Processing Agreement (DPA) Templatedocx

Legal template for data processing agreements with suppliers handling personal or sensitive data.

Download

See all templates on the Templates page.