Which vendors should I add to my vendor register?

Quick navigation:

1. ISO 27001

2. ISO 9001

3. ISO 14001

4. ISO 42001

5. A note on overlap

Your vendor register captures the external parties that matter to your management system — not every supplier you've ever worked with. Which vendors are "in scope" depends on the standard you're certified to, because each one defines external providers differently.

The core principle

Include vendors whose products, services, or conduct can affect your management system's objectives, legal obligations, or performance. You do not need to list every supplier just because a commercial relationship exists.

ISO 27001 — Information Security Management

Focus: vendors that touch, store, process, or transmit your information — or that could affect its confidentiality, integrity, or availability.

Cloud & hosting

• Cloud infrastructure providers (AWS, Azure, GCP)

• SaaS platforms (CRM, HR, finance systems)

• Data centre & colocation providers

• Backup & disaster recovery services

• Content delivery networks (CDNs)

Managed services & IT support

• Managed IT service providers (MSPs)

• Managed security service providers (MSSPs)

• Network and telecommunications providers

• Outsourced software development contractors.

Data handling & processing

• Data processors and sub-processors

• Document management services

• Confidential waste and secure shredding

• Background screening and vetting providers

• Identity verification services.

Security testing & audit

• Penetration testing firms
• Vulnerability scanning services
• External auditors and certification bodies
• Security awareness training providers

Physical & access security

• Physical security and CCTV contractors
• Access control system suppliers
• Visitor management system providers

ISO 9001 — Quality Management

Focus: vendors whose outputs directly affect the quality of your products or services, or whose processes you outsource.

Materials & components

• Raw material suppliers
• Component and parts manufacturers
• Packaging suppliers
• Office and production consumables

Outsourced processes & manufacturing

• Sub-contract manufacturers
• Assembly and finishing contractors
• Print and fulfilment services
• Outsourced service delivery partners

Testing & calibration

• Calibration service providers
• Independent testing laboratories
• Inspection and certification bodies

Logistics & distribution

• Freight and logistics partners
• Warehousing and storage providers
• Last-mile delivery services

Support & advisory

• QMS consultants
• Equipment maintenance contractors
• Staff training and competency providers
• IT systems supporting quality processes

ISO 14001 — Environmental Management

Focus: vendors whose products, services, or activities can affect your significant environmental aspects, legal compliance obligations, or environmental performance.

Waste & disposal

• Waste collection and disposal companies
• Recycling contractors
• Hazardous waste contractors
• WEEE (electronic waste) recyclers
• Composting and organic waste services

Utilities & energy

• Electricity suppliers
• Gas suppliers
• Water and wastewater providers
• Renewable energy certificate (REC) providers
• Carbon offsetting services

Facilities & maintenance

• Building maintenance contractors
• HVAC servicing companies
• Cleaning contractors (especially where chemicals are used)
• Pest control providers
• Grounds maintenance and landscaping contractors

Environmentally significant products

• Chemical suppliers
• Fuel suppliers
• Printing and packaging suppliers
• Office consumables (where green purchasing controls apply)

Transport & logistics

• Couriers
• Freight companies
• Fleet maintenance providers

Environmental advisory & monitoring

• Environmental consultants
• Environmental monitoring companies
• Laboratory testing providers
• Carbon accounting and reporting services

ISO 42001 — Artificial Intelligence Management

Focus: vendors who provide, develop, host, or process data for AI systems — or whose outputs affect the fairness, safety, and transparency of those systems.

AI models & platforms

• Foundation model providers (e.g. OpenAI, Anthropic, Google DeepMind)
• AI-as-a-service platforms
• Pre-trained model vendors
• Fine-tuning and model customisation services

Data & training

• Data brokers and dataset providers
• Data labelling and annotation services
• Synthetic data generation providers
• Data enrichment services

Infrastructure & deployment

• Cloud providers hosting AI workloads
• MLOps and model deployment platforms
• Vector database providers
• AI development toolchains and IDEs

Monitoring & assurance

• AI monitoring and observability platforms
• Bias testing and fairness assessment services
• AI security and red-teaming providers
• Explainability tooling providers

Governance & compliance

• AI ethics and governance consultants
• Third-party AI auditors and certification bodies
• Legal advisors specialising in AI regulation
• AI risk management framework providers

A note on overlap

Many vendors appear across more than one standard. A cloud provider, for example, is relevant under ISO 27001 for data security and under ISO 42001 for AI infrastructure. Register them once and link to the relevant standards — there's no need to create duplicate entries.