This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.19 Information security in supplier relationships.
ISO 27001: 2022 Control Description
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Purpose
To maintain an agreed level of information security in supplier relationships.
Guidance on implementation
The organisation should establish and communicate a topic-specific policy on supplier relationships to all relevant interested parties.
The organisation should identify and implement processes and procedures to address security risks associated with the use of products and services provided by suppliers. This should also apply to the organisation’s use of resources from cloud service providers. These processes and procedures should include those implemented by the organisation, as well as those the organisation requires the supplier to implement, both when commencing and terminating the use of a supplier’s products or services. These may include:
a) Identifying and documenting the types of suppliers (e.g. ICT services, logistics, utilities, financial services, ICT infrastructure components) that can affect the confidentiality, integrity, and availability of the organisation's information;
b) Establishing how to evaluate and select suppliers according to the sensitivity of information, products, and services (e.g. through market analysis, customer references, document reviews, on-site assessments, certifications);
c) Evaluating and selecting suppliers' products or services that have adequate information security controls, and reviewing them—particularly the accuracy and completeness of controls implemented by the supplier to ensure the integrity of the supplier’s information and information processing, and hence the organisation’s information security;
d) Defining the organisation’s information, ICT services, and physical infrastructure that suppliers can access, monitor, control, or use;
e) Defining the types of ICT infrastructure components and services provided by suppliers that can affect the confidentiality, integrity, and availability of the organisation's information;
f) Assessing and managing the information security risks associated with:
- The suppliers’ use of the organisation’s information and other associated assets, including risks from potentially malicious supplier personnel;
- Malfunctions or vulnerabilities of the products (including software components and sub-components used in these products) or services provided by the suppliers;
g) Monitoring compliance with established information security requirements for each type of supplier and type of access, including third-party review and product validation;
h) Mitigating non-compliance by a supplier, whether detected through monitoring or by other means;
i) Handling incidents and contingencies associated with supplier products and services, including responsibilities of both the organisation and suppliers;
j) Ensuring resilience and, if necessary, implementing recovery and contingency measures to maintain the availability of the supplier’s information and information processing, and hence the availability of the organisation’s information;
k) Providing awareness and training for the organisation’s personnel interacting with supplier personnel regarding appropriate rules of engagement, topic-specific policies, processes, procedures, and behaviour, based on the type of supplier and the level of supplier access to the organisation’s systems and information;
l) Managing the necessary transfer of information, other associated assets, and anything else that needs to be changed, ensuring that information security is maintained throughout the transfer period;
m) Implementing requirements to ensure a secure termination of the supplier relationship, including:
- De-provisioning of access rights;
- Handling information;
- Determining ownership of intellectual property developed during the engagement;
- Ensuring information portability in the case of a change of supplier or insourcing;
- Managing records;
- Returning assets;
- Secure disposal of information and other associated assets;
- Maintaining ongoing confidentiality requirements;
n) Defining the expected level of personnel security and physical security from supplier personnel and facilities.
The procedures for continuing information processing in the event that the supplier becomes unable to supply its products or services (e.g. due to an incident, going out of business, or ceasing to provide certain components due to technological advancements) should be considered to avoid delays in arranging replacement products or services (e.g. by identifying an alternative supplier in advance or consistently using multiple suppliers).
Other Information
In cases where it is not possible for an organisation to impose requirements on a supplier, the organisation should:
a) Consider the guidance provided in this control when selecting a supplier and its product or service;
b) Implement compensating controls as necessary based on a risk assessment.
Information can be put at risk by suppliers with inadequate information security management. Controls should be determined and applied to manage the supplier's access to information and other associated assets. For instance, if confidentiality is a special concern, non-disclosure agreements or cryptographic techniques can be used. Another example is the risk to personal data protection when the supplier agreement involves the transfer of, or access to, information across borders. The organisation must remain aware that the legal or contractual responsibility for protecting information stays with the organisation.
Risks can also arise from inadequate controls over ICT infrastructure components or services provided by suppliers. Malfunctioning or vulnerable components or services can lead to information security breaches within the organisation or for other entities (e.g. malware infections, attacks, or other harm affecting entities beyond the organisation).