Skip to contentCYBERINFO
|

Control 5.22 : Monitoring, Review and Change Management of Supplier Services

Summary

The organization should regularly monitor, review, and audit supplier service delivery. This ensures that the information security terms and conditions within supplier agreements are being maintained and that service changes are managed without compromising security.

Applicability

In-Scope: Essential for maintaining oversight of critical partners like cloud service providers or managed security service providers (MSSPs). It ensures that compliance at onboarding does not degrade over time.

Out-of-Scope: Only applicable if no external suppliers have access to information or systems, which is highly unlikely in a modern enterprise.

Implementation Guidance

Microsoft 365 / Entra ID

  • Performance Tracking: Use Microsoft Purview Compliance Manager to track and store periodic evidence of supplier compliance audits (e.g., SOC 2 or ISO 27001 certificates).

  • Incident Monitoring: Utilize Microsoft Sentinel to monitor logs from connected third-party SaaS applications, ensuring that supplier activity remains within defined security bounds.

  • Change Governance: Record and review any major changes to the Microsoft 365 tenant configuration requested by external consultants via Entra ID Audit Logs.

Evidence Checklist

  • Service Review Minutes: Documentation of periodic meetings with critical suppliers to review security performance.

  • Audit Reports: Copies of updated third-party audit reports (e.g., SOC 2 Type II) for all in-scope suppliers.

  • Change Request Logs: Evidence of a formal review and approval process for changes to supplier-provided services.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How often does the organization perform a formal review of its most critical suppliers' security performance?

  • What is the process for addressing a supplier's failure to meet the security requirements defined in their contract?

  • Can you provide evidence of a recent change in a supplier's service that was formally reviewed for security impact?

  • How do you monitor that a supplier's access remains limited to only what is necessary for their current service delivery?