The ISO 27001 Annex A 5.19 rule is about managing information security when working with other companies (suppliers). This rule requires your business to handle the security risks that come from using products and services provided by these suppliers.
In short, it helps you keep your supply chain secure.
Suppliers are one of your biggest security risks. This is because you usually cannot manage them directly. However, you often rely on them, they may hold your data, and they provide services you need to succeed.
Table of contents
What Is Information Security In Supplier Relationships?
Information security in supplier relationships is simply how a company manages the risks that come from sharing data or using services from outside companies.
This process sets up rules to make sure these outside suppliers protect your company’s private information. It guarantees that they stick to the security rules you both agreed on and follow all necessary laws.
This work involves several key steps:
- Checking New Suppliers: Carefully looking at new suppliers before you hire them (called due diligence).
- Contract Rules: Putting clear security rules right into your contracts.
- Checking Up: Regularly watching and checking their work to make sure they are still meeting the security rules.
What is ISO 27001 Annex A 5.19?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security In Supplier Relationships”.
What is the ISO 27001 Annex 5.19 control objective?
The formal definition and control objective in the standard is: “Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.“
What is the purpose of ISO 27001 Annex A 5.19?
The purpose of ISO 27001 Annex A 5.19 is “To ensure you maintain an agreed level of information security in supplier relationships.“
Is ISO 27001 Annex A 5.19 Mandatory?
ISO 27001 Annex A control 5.19 (Information Security In Supplier Relationships in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.19 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. You Have a Supplier Management Process
The auditor will check your rules, procedures, and methods for handling suppliers. They want to make sure you followed those steps. You must check these items:
- Make sure you have a complete list of every supplier.
- Check that you have contracts, agreements, or terms for each one.
- Show proof that your suppliers handle your information securely.
2. You Have an ISO 27001 Supplier Register
You need a Supplier Register to keep track of and manage all your suppliers. Make sure this list is current and truly shows what you do in your business.
3. Documentation is in Order
The auditor will look at your records and all your company papers. They will check that the documents are sorted and labeled correctly. For example:
- If a document is secret, it should be clearly marked as Confidential.
- Check that the document is current.
- Has someone looked over the document in the last year?
- Does the version number match the correct file?
