Skip to contentCYBERINFO
|

Control 5.20 : Addressing Information Security Within Supplier Agreements

Summary

The organization should establish and agree on relevant information security requirements with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization's information.

Applicability

In-Scope: Mandatory for legal and regulatory protection. It ensures that responsibility is clearly defined in writing, providing the basis for accountability in the event of a supplier-side breach.

Out-of-Scope: Never out-of-scope for organizations with third-party relationships.

Implementation Guidance

Microsoft 365 / Entra ID

  • Contract Repository: Store signed Service Level Agreements (SLAs) and security agreements in a restricted SharePoint library with metadata tracking for renewal dates.

  • Compliance Documentation: Download and archive the Microsoft Online Services Terms (OST) and Data Protection Addendum (DPA) as evidence of the security agreement with your primary cloud provider.

  • Shared Responsibility: Use the Microsoft Purview dashboards to visualize the shared responsibility model and identify which controls are the supplier's duty versus yours.

Evidence Checklist

  • Signed Agreements: Formal contracts containing specific information security clauses.

  • Right to Audit: Clauses in agreements that allow the organization to verify the supplier's security (or receive third-party audit reports).

  • Incident Reporting: Contractual requirements for the supplier to notify the organization of any security incidents within a specific timeframe.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How do you ensure that security requirements are tailored to the specific type of service the supplier is providing?

  • Does your agreement include the requirement for the supplier to notify you of a data breach within a legally mandated timeframe (e.g., 72 hours)?

  • How do you handle cases where a critical supplier refuses to sign your standard security addendum?

  • Can you show evidence that the security requirements in a recent contract were reviewed by the security or legal team?