Control 5.21 : Managing Information Security in the ICT Supply Chain

Summary

The organization should define and implement processes to manage the risks associated with the Information and Communication Technology (ICT) products and services supply chain. This includes hardware, software, and cloud services that form the backbone of your IT environment.

Applicability

In-Scope: Critical for preventing supply chain attacks (like rogue software updates). It is highly relevant for a Cybersecurity Specialist managing a modern tech stack.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Software Integrity: Use Microsoft Intune to ensure only approved, digitally signed software versions are deployed to company devices.

• Supply Chain Visibility: Utilize Microsoft Defender for Cloud Apps to discover and assess the risk of all SaaS applications being used across the organization.

• Vulnerability Management: Use Microsoft Defender Vulnerability Management to identify and patch security flaws in third-party software products installed in your environment.

Evidence Checklist

• Approved Vendor List: A list of vetted ICT providers and software vendors.

• Vulnerability Reports: Records of scans and patches applied to third-party software and systems.

• Supply Chain Risk Assessment: Documented reviews of the risks associated with critical technology components.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you verify the integrity of software updates before they are deployed to your production environment?

• What is the process for identifying and phasing out ICT products that are end-of-life and no longer receive security patches?

• How do you assess the security risk of a new software-as-a-service (SaaS) application before allowing it to connect to your Entra ID tenant?

• Can you demonstrate how you monitor for supply chain advisories related to the hardware or software you currently use?