Control 5.19 : Information Security in Supplier Relationships

Summary

Processes and agreed requirements should be defined and implemented to mitigate the risks associated with the supplier's access to the organization's assets. This ensures that your security posture is not compromised by a weak link in your supply chain.

Applicability

In-Scope: Essential for any organization using SaaS providers (like Microsoft), consultants, or outsourced IT services. It is a key component of vendor risk management and regulatory compliance.

Out-of-Scope: Only potentially reducible if an organization has zero external dependencies, which is not applicable for a cloud-native business.

Implementation Guidance

Microsoft 365 / Entra ID

External Identities: Use Entra ID B2B Collaboration to manage guest access, ensuring that suppliers use their own credentials while you maintain control over what they can see.
Governance: Utilize Microsoft Purview Compliance Manager to track and review the compliance certifications (like ISO 27001 or SOC 2) of your major vendors.
Access Restriction: Apply Cross-Tenant Access Settings to limit which external organizations can collaborate with your users.

Evidence Checklist

Supplier Inventory: A list of all third-party suppliers with access to sensitive information or systems.
Security Requirements: Standard clauses or security addendums included in supplier contracts.
Risk Assessments: Documented reviews of the security posture of critical suppliers conducted prior to onboarding.

Practical Audit Advice

Here are some questions the auditor might ask:

How does the organization determine the level of security risk associated with a new supplier before a contract is signed?
What specific security requirements are mandatorily included in your agreements with third-party service providers?
How do you monitor that a supplier is actually adhering to the security obligations defined in their contract?
What is the process for revoking a supplier's access once the project or contract has concluded?