In this ultimate how to audit guide to ISO 27001 Annex A 5.19 Information Security in Supplier Relationships, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Supplier Information Security Policy Formalisation Verified
- 2. Supplier Risk Categorisation and Assessment Validated
- 3. Security Clauses in Legal Agreements Confirmed
- 4. Supplier Access Principle of Least Privilege Verified
- 5. Supply Chain Integrity and Sub-contractor Controls Validated
- 6. Supplier Incident Response Integration Confirmed
- 7. Secure Information Transfer Methods to Suppliers Verified
- 8. Supplier Performance Monitoring and Audit Execution Evidenced
- 9. Termination of Supplier Access Records Present
- 10. Protection of Shared Technical Assets Verified
Auditing ISO 27001 Annex A 5.19 Information Security in Supplier Relationships is the critical verification of third-party risk management. This process validates the Primary Implementation Requirement of embedding security clauses into contracts and rigorously monitoring supplier performance. The Business Benefit shields the organization from supply chain attacks, ensuring that vendors maintain the same high security standards as the hiring entity.
1. Supplier Information Security Policy Formalisation Verified
Verification Criteria: A documented policy exists defining the security requirements for mitigating risks associated with supplier access to organisational assets.
Required Evidence: Approved Supplier Security Policy or integrated Procurement Policy with specific security clauses.
Pass/Fail Test: If the organisation lacks a formal policy defining the security criteria for selecting and managing suppliers, mark as Non-Compliant.
2. Supplier Risk Categorisation and Assessment Validated
Verification Criteria: All suppliers with access to sensitive data are categorised by risk level and have undergone a formal security impact assessment.
Required Evidence: Supplier Risk Register or completed Security Due Diligence Questionnaires (DDQs) for a sample of high-risk vendors.
Pass/Fail Test: If a critical SaaS vendor or managed service provider has been onboarded without a documented risk assessment, mark as Non-Compliant.
3. Security Clauses in Legal Agreements Confirmed
Verification Criteria: Contracts and Service Level Agreements (SLAs) include specific information security requirements, including right-to-audit and breach notification obligations.
Required Evidence: Signed Master Service Agreements (MSAs) or Data Processing Agreements (DPAs) containing mandatory security annexes.
Pass/Fail Test: If a supplier contract lacks a “Right to Audit” clause or a defined timeframe for security incident reporting, mark as Non-Compliant.
