ISO 27001 Information Security in Supplier Relationships | Annex A 5.19 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.19 is a security control that mandates the establishment of processes and procedures to manage risks associated with third-party partners. The primary implementation requirement involves formalising supplier security policies and vetting procedures, ensuring a significant business benefit by protecting sensitive data and maintaining operational uptime.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.19 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.19 Information Security in Supplier Relationships

ISO 27001 Annex A 5.19 requires organizations to define and implement processes to manage information security risks associated with the use of supplier products or services. Suppliers often represent your greatest “blind spot”; they hold your data and maintain your systems, yet you cannot directly manage their internal security. This control ensures that you maintain an agreed-upon level of security throughout the Supply Chain, from initial vetting to the termination of the contract.

Core requirements for compliance include:

  • Supplier Vetting & Due Diligence: Before signing a contract, you must evaluate a supplier’s security posture. This is typically done through security questionnaires or by verifying their ISO 27001 Certification.
  • Risk-Based Tiering: Not all suppliers are equal. You should categorize suppliers into “Tiers” based on the sensitivity of the data they handle or their criticality to your operations.
  • Contractual Binding: Security requirements must be legally enforceable. This includes “Right to Audit” clauses, data protection terms (GDPR), and incident notification timelines.
  • The Supplier Register: You must maintain a central inventory of all third-party suppliers, their contact details, and their current security status.
  • Access Management: You must define how suppliers access your systems, ensuring they only have the minimum access required (Least Privilege) and that this access is revoked immediately when the project ends.
  • Ongoing Monitoring: Supplier security is not a “one-off” check. You must periodically review critical suppliers to ensure they haven’t allowed their certifications to lapse or their security standards to drift.

Audit Focus: Auditors will look for “The Supply Chain Paper Trail”:

  1. Direct Evidence of Vetting: “Show me the security assessment for your cloud hosting provider or your payroll company. How did you verify they were secure?”
  2. Contractual Review: “Does your contract with your external IT support include a clause about notifying you of a data breach within a specific timeframe?”
  3. Tiering Logic: “Show me your Supplier Tiering Matrix. Why is your stationery supplier categorized differently than your SaaS CRM provider?”

Supplier Tiering Matrix (Audit Prep):

Supplier Tier Definition Example Required Due Diligence ISO 27001:2022 Control
Tier 1 (Critical) Holds PII or critical to uptime. AWS, Azure, Payroll. ISO 27001 Cert + Deep Audit. Annex A 5.19 / 5.23
Tier 2 (High) Has system access, no PII. IT Support, Dev Agency. Security Questionnaire. Annex A 5.19 / 5.21
Tier 3 (Low) No access to systems/data. Office Snacks, Furniture. None / Basic ID Checks. Annex A 5.19

Table of contents

Do it Yourself ISO 27001

Our Lead-Auditor verified templates with expert support have a 100% success rate.

Get the Auditor-Verified ISO 27001 Toolkit.
Fay Barker - High Table - ISO27001 Director

What is ISO 27001 Annex A 5.19?

ISO 27001 Annex A 5.19 is about information security in supplier relationships which means you must secure your supply chain and manage the security risks that come from using third party suppliers.

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships is an ISO 27001 control that requires an organisation to mange the information security risks of using supplier products and services.

It is about securing the supply chain.

Suppliers represent one of your biggest risks as you cannot directly manage them or influence them and it is likely you rely on them, they have your data and provide services that you need to be successful.

ISO 27001 Annex A 5.19 Purpose

The purpose of ISO 27001 Annex A 5.19 is a preventive control that ensures you maintain an agreed level of information security in supplier relationships.

ISO 27001 Annex A 5.19 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.19 as:

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships

Watch the ISO 27001 Annex A 5.19 Tutorial

In the video ISO 27001 Information Security In Supplier Relationships Explained – ISO27001:2022 Annex A 5.19 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.19 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.19 Information Security In Supplier Relationships. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.19 Implementation Guidance

We are going to rely on a couple of mechanism to ensure Information Security In Supplier Relationships.

Topic Specific Policy

The standard requires a topic specific policy on supplier relationships – ISO 27001 Supplier Policy Template

Supplier Management Process

You will need a supplier management process that sets out

  • how to identify and document suppliers and supplier types
  • evaluating suppliers according to information process, transmitted or shared
  • reviewing the controls that are in place
  • documenting what suppliers can access, monitor, control and use
  • assessing and managing supplier risks
  • monitoring and ensuring compliance to information security
  • implementing mitigation for non compliance of a supplier
  • the handling of incidents
  • availability, business continuity and disaster recovery
  • managing the transfer of information
  • the process for terminating and ending a supplier / supplier relationship
  • what level of security of people and physical security are expected

ISO 27001 Supplier Register

The best way to manage ISO 27001 Suppliers is via the ISO 27001 Supplier Register. You can learn more in the ISO 27001 Supplier Register Beginner’s Guide

Supplier Agreements / Contracts

The number one recommendation is to seek professional legal counsel for the provision of all contracts. The following is guidance but you should always defer to professional legal counsel. Always. You are not a lawyer. We are not a lawyer.

Our first line of defence and go to is the supplier agreement or supplier contract. At its core it is a legal mechanism that is legally binding and provides the greatest level of overall protection.

  • It sets out what is required, what will be done, who will do it, what happens if things go wrong.
  • What information is to be provided, accessed and the methods of access.
  • Legal, regulatory and contractual requirements. Elements such as intellectual property rights, copyright information, data protection requirements.
  • The controls and levels of controls that are required by both parties to the agreement.
  • Acceptable and unacceptable use of assets.
  • How to grant and remove access
  • Penalties, indemnities and remediation for failings to meet the contract.
  • Contact information
  • Screening requirements for staff were legally enforceable.
  • How evidence and assurance of information security will be provided
  • Rights to audit
  • How to solve problems or conflicts with the contract
  • Appropriate back up, business continuity and disaster recovery
  • The process for change management
  • Physical security as appropriate
  • Information transfer processes
  • Termination clauses and processes
  • Destruction and removal of data processes
  • Handover at the end of the contract

Contracts are kept and recorded in the Third Party Supplier Register. They are reviewed at least annually, based on risk and significant change or event.

I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.

Get the Auditor-Proven Toolkit.
Stuart Barker - High Table - ISO27001 Director

How to implement ISO 27001 Annex A 5.19

Implementing ISO 27001 Annex A 5.19 requires a structured approach to manage the risks associated with third-party access to organisational assets. By following these steps, you will establish a robust framework for selecting, monitoring, and offboarding suppliers to maintain your security posture throughout the supply chain.

1. Formalise the Supplier Information Security Policy

  • Establish a clear policy that defines the security requirements for all third-party relationships: ensuring consistency across the business.
  • Identify specific security requirements for different types of suppliers: such as cloud service providers, maintenance contractors, and consultants.
  • Distribute the policy to all procurement staff and relevant stakeholders to ensure it is embedded into the vendor selection process.

2. Categorise Suppliers within the Asset Register

  • Identify every supplier with access to organisational information or systems: recording them as entities within your central Asset Register.
  • Categorise suppliers based on the sensitivity of data handled: ranging from low-risk service providers to high-risk technical partners.
  • Assign an internal owner for each supplier relationship to maintain accountability for security compliance.

3. Conduct Risk-Based Security Due Diligence

  • Perform a pre-contract risk assessment for every new supplier: identifying potential vulnerabilities in their operational processes.
  • Utilise security questionnaires to evaluate the supplier’s technical controls: focusing on their adherence to industry standards like ISO 27001 or SOC 2.
  • Document all identified risks and obtain formal sign-off from the Risk Owner before proceeding with the engagement.

4. Incorporate Security Requirements into Formal Agreements

  • Draft legally binding contracts that include specific information security clauses: ensuring the supplier is contractually obligated to protect your data.
  • Define clear Rules of Engagement (ROE) for any technical testing or access: establishing the boundaries of the relationship.
  • Include a “Right to Audit” clause and mandatory incident notification windows to ensure transparency during a security event.

5. Provision Granular Identity and Access Management (IAM) Roles

  • Apply the Principle of Least Privilege (PoLP) by creating specific IAM roles for supplier personnel: restricting access to only the necessary systems.
  • Enforce Multi-Factor Authentication (MFA) for all remote access attempts made by third parties: mitigating the risk of credential theft.
  • Schedule quarterly reviews of supplier access rights to ensure that redundant accounts are identified and removed promptly.

6. Address ICT Supply Chain Security Risks

  • Mandate that primary suppliers flow down security requirements to their own sub-contractors: ensuring security is maintained throughout the tiers of the supply chain.
  • Require evidence of secure development lifecycles (SDLC) for any bespoke software provided by third parties.
  • Verify the provenance of hardware components to protect against the insertion of malicious implants or counterfeit equipment.

7. Establish Standardised Incident Reporting Procedures

  • Define the mandatory reporting timeline for suppliers in the event of a security breach: ensuring your internal team can respond effectively.
  • Integrate supplier contact points into your organisational Incident Response Plan (IRP).
  • Conduct joint “desktop” exercises with critical suppliers to test the effectiveness of communication channels during a crisis.

8. Execute Regular Security Audits and Compliance Reviews

  • Audit critical suppliers annually to verify that they are meeting their contractual security obligations: using a mix of remote assessments and site visits.
  • Review independent audit reports and penetration test summaries provided by the supplier to validate their technical claims.
  • Log all audit findings and track the remediation of non-conformities through a formal Corrective Action Plan.

9. Manage Changes in Supplier Service Delivery

  • Perform a fresh risk assessment whenever a supplier makes significant changes to their service, location, or infrastructure.
  • Evaluate the security implications of supplier mergers or acquisitions: ensuring that the new entity maintains the required security standards.
  • Update contract terms and security requirements dynamically as the scope of the supplier relationship evolves over time.
  • Monitor supplier performance against agreed Service Level Agreements (SLAs) to ensure security controls do not degrade.

10. Revoke Access and Execute Secure Termination

  • Implement a termination checklist to ensure all IAM roles and physical access permissions are revoked immediately upon contract end.
  • Verify the secure return or certified destruction of all organisational information assets held by the supplier.
  • Formalise the transfer of knowledge and responsibilities to ensure that security continuity is maintained during the transition to a new provider.

Supplier Tiering Example

TierDefinitionExampleDue Diligence Required
Tier 1 (Critical)Holds sensitive data (PII) or critical to uptime.AWS, Payroll Provider.ISO 27001 Cert + Deep Audit.
Tier 2 (High)Access to internal systems but no sensitive data.IT Support Agency.Security Questionnaire.
Tier 3 (Low)No access to systems/data.Stationary Supplier.None / Basic Checks.

ISO 27001 Supplier Register Template

The ultimate ISO 27001 Supplier Register Template.

ISO27001 Third Party Supplier Register - ISO 27001 Annex A 5.19 Template

ISO 27001 Supplier Policy Template

The ultimate ISO 27001 Supplier Register Template.

ISO27001 Third Party Supplier Policy - ISO 27001 Annex A 5.19 Template

How to comply

To comply with ISO 27001 Annex A 5.19 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

How to audit ISO 27001 Annex A 5.19

Implementing Annex A 5.19 requires a systematic approach to managing third-party risks. This 10-step audit process ensures that security is embedded into the entire supplier lifecycle, from initial selection to contract termination.

1. Formalise the Supplier Security Policy

  • Develop a documented policy defining security requirements for all third-party entities.
  • Ensure the policy addresses data protection, physical security, and personnel screening.
  • Communicate the policy to all relevant internal stakeholders and procurement teams.

2. Categorise Suppliers within the Asset Register

  • Identify every supplier with access to organisational information or systems.
  • Record these entities within the formal Asset Register to ensure full visibility.
  • Assign risk levels based on the sensitivity of the data the supplier processes.

3. Conduct Comprehensive Supplier Risk Assessments

  • Evaluate the security posture of potential suppliers before signing contracts.
  • Use standardised questionnaires to assess technical controls and compliance history.
  • Document identified risks and determine if they fall within the organisational risk appetite.

4. Incorporate Security Requirements into Formal Agreements

  • Define clear security obligations within legally binding contracts and NDAs.
  • Include a “Right to Audit” clause and establish a clear Rules of Engagement (ROE) document.
  • Specify the required uptime, incident notification windows, and data handling procedures.

5. Provision Granular Identity and Access Management (IAM)

  • Apply the Principle of Least Privilege (PoLP) for all supplier accounts.
  • Enforce Multi-Factor Authentication (MFA) for any remote or administrative access.
  • Log and monitor all third-party access attempts to sensitive network segments.

6. Manage Information Security in the ICT Supply Chain

  • Mandate that primary suppliers flow down security requirements to their sub-contractors.
  • Assess the security of hardware and software components provided by third parties.
  • Verify that suppliers follow secure development and manufacturing practices.

7. Establish Incident Management and Reporting Protocols

  • Standardise how suppliers must report security breaches or potential vulnerabilities.
  • Define the escalation path for significant incidents affecting organisational data.
  • Include suppliers in periodic incident response testing and desktop exercises.

8. Execute Regular Security Audits and Compliance Reviews

  • Perform scheduled reviews of supplier performance against contractual security obligations.
  • Conduct technical audits or vulnerability scans where the ROE permits.
  • Request and review independent audit reports, such as SOC 2 or ISO 27001 certificates.

9. Monitor Continuous Service Delivery and Changes

  • Track supplier performance against agreed service levels and security KPIs.
  • Assess the impact of any changes to the supplier’s service, location, or infrastructure.
  • Update risk assessments whenever a significant change occurs in the supplier relationship.
  • Evaluate the impact of supplier organisational changes, such as mergers or acquisitions.

10. Revoke Access and Manage Service Termination

  • Ensure all IAM roles and physical access permissions are revoked immediately upon termination.
  • Verify the secure return or certified destruction of all organisational assets and data.
  • Maintain a checklist to confirm that all post-termination obligations are fulfilled.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

How to pass the ISO 27001 Annex A 5.19 audit

To pass an audit of ISO 27001 Annex A 5.19 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What the auditor will check

The audit is going to check a number of areas. Lets go through the most common

1. That you have a supplier management process

The auditor is going to check the rules, procedures and supplier management methodology and make sure you followed them. Make sure all suppliers are listed, you have contracts or agreements or terms for each supplier and that you have assurance they are doing the right thing for information security.

2. That you have an ISO 27001 Supplier Register

You will need an ISO 27001 Supplier Register to record and manage your suppliers. Make sure it is up to date and reflects your reality.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match.

Top 3 ISO 27001 Annex A 5.19 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.19 are

Make sure that there is a contract, agreement, terms of business or some legal mechanism for engaging with suppliers and you have a copy, it is in date and covers what you are using.

2. You have no assurance they are doing the right thing for information security

Make sure you have done your security assessment and can place your hands on an in date certificate such as an ISO 27001 Certification for assurance they are doing the right thing. It needs to be in date a cover the products and / or services you have acquired and are using form the supplier.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.19 across different business models.

Business Type Applicability & Interpretation Examples of Control
Small Businesses

The “Tiering” Logic. You don’t need a complex procurement team. Compliance means having a list (Register) that separates critical data handlers (e.g., your Accountant) from non-risky vendors (e.g., Office Cleaners).

Supplier Register: A simple Excel sheet listing all vendors, categorized as “Critical” or “Non-Critical.” • Basic Checks: Verifying that your IT support provider uses 2FA before you hire them.
Tech Startups

Onboarding Gates. The focus is on preventing “Shadow IT.” You need a policy that says employees cannot sign up for new SaaS tools without a quick security check.

Vendor Risk Assessment (VRA): Sending a lightweight security questionnaire to new SaaS vendors before signing the contract. • Policy Enforcement: A “Procurement Policy” stating that no company credit card can be used for software without CTO approval.
AI Companies

Data Ethics & Privacy. Supplier selection isn’t just about security; it’s about data rights. You must vet whether a supplier (e.g., a data labelling firm) has adequate privacy controls to handle your training sets.

Due Diligence: Specifically checking if data annotation vendors conduct background checks on their staff. • Ethical Sourcing: Ensuring your “Supplier Policy” mandates that data providers have valid consent for the datasets they sell you.
Applicability of ISO 27001 Annex A 5.19 across different business models.

Fast Track ISO 27001 Annex A 5.19 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.19 (Information security in supplier relationships), the requirement is to define and implement processes to manage the information security risks associated with third-party products and services. Since suppliers represent one of your largest risks (you rely on them but cannot directly control them), securing this part of your supply chain is critical.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Data Ownership Rents access to your supplier history; if you cancel the subscription, your documented due diligence logs and risk assessments vanish. Permanent Assets: Fully editable Word/Excel Supplier Registers and Policies that you own and host forever. A localized “Supplier Register” stored on your secure drive containing historical ISO certificates and audit reports.
Procurement Utility Attempts to “automate” risk via generic portals that cannot conduct nuanced evaluations of niche or critical suppliers. Governance-First: Provides the framework to formalize your existing procurement work into an auditor-ready system. A completed “Supplier Tiering Matrix” proving that high-risk vendors (e.g., Cloud Hosting) undergo stricter vetting.
Cost Efficiency Charges a “Vendor Count Tax” that scales costs aggressively as your supply chain and third-party integrations grow. One-Off Fee: A single payment covers your supplier governance for 5 vendors or 500. Allocating budget to actual security improvements rather than monthly “third-party risk” dashboard fees.
Strategic Freedom Mandates rigid questionnaire formats and scoring workflows that may not align with your specific industry or lean model. 100% Agnostic: Procedures adapt to your workflow—from simple certificate checks to deep-dive technical audits. The ability to evolve your procurement strategy and risk-scoring criteria without reconfiguring a rigid SaaS module.

While SaaS compliance platforms often try to sell you “automated vendor risk assessments” or complex “due diligence portals,” they cannot actually conduct a meaningful risk evaluation of a niche supplier or negotiate a security clause into a contract, those are human governance and procurement tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the supplier framework you need to manage your supply chain effectively without a recurring subscription fee.

1. Ownership: You Own Your Supplier Register Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your supplier tiers and store your due diligence logs inside their proprietary system, you are essentially renting your own supply chain history.

  • The Toolkit Advantage: You receive the Third-Party Supplier Policy and Supplier Register Template in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your records (such as AWS ISO certificates or payroll provider audits), ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Procurement

Annex A 5.19 is about managing risks. You don’t need a complex new software interface to record that AWS is a “Tier 1” critical supplier.

  • The Toolkit Advantage: Your team already uses tools like email or simple ticketing systems to talk to vendors. What they need is the governance layer to prove to an auditor that these vendors are categorized, risk-assessed, and reviewed. The Toolkit provides pre-written procedures and “Supplier Tiering Matrices” that formalize your existing procurement work into an auditor-ready framework, without forcing your team to learn a new software platform just to log a vendor.

3. Cost: A One-Off Fee vs. The “Vendor Count” Tax

Many compliance SaaS platforms charge more based on the number of “vendors” or “third-party questionnaires” you process. For a control that applies to every single supplier in your company, these monthly costs can scale aggressively.

  • The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you manage 5 suppliers or 500, the cost of your Supplier Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Procurement Strategy

SaaS tools often mandate specific questionnaire formats or rigid risk-scoring workflows. If their system doesn’t match your lean business model or specialized industry requirements, the tool becomes a bottleneck.

  • The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Supplier Procedures to match exactly how you operate, whether you use a deep-dive technical audit or just a simple certificate check for low-risk vendors. You maintain total freedom to evolve your procurement strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 5.19, the auditor wants to see that you have a formal process for managing supplier risk and an up-to-date register of your third parties. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Standard / LawRelevant Section / RequirementMapping & Compliance Logic
NIST CSF v2.0GV.SC (Supply Chain Risk Management)NIST mandates that supply chain risk is part of the governance strategy. It requires formalised supplier selection and monitoring, mirroring A 5.19.
DORA (EU)Chapter V (ICT Third-Party Risk)The most stringent mapping. DORA requires “Standard Contractual Clauses” and mandatory exit strategies for critical ICT third-party providers.
NIS2 (EU)Article 21 (Supply Chain Security)Requires entities to assess the security of their direct suppliers and the quality of their cybersecurity practices, including secure development.
SOC 2 (Trust Services)CC9.1 & CC9.2 (Vendor Management)Focuses on whether the entity evaluates, selects, and monitors third-party service providers to ensure security commitments are met.
GDPR (EU/UK)Article 28 (Processor Contracts)Mandates that “Data Processing Agreements” (DPAs) are in place, ensuring the supplier provides sufficient guarantees of technical security.
UK Data (Use & Access) Act 2025Part 1 (Security of Data Flows)Evolves GDPR by focusing on “Trusted Data Partners.” A 5.19 is the mechanism used to verify these partners meet the UK’s updated security thresholds.
UK Cyber Security & Resilience BillSection: MSP RegulationExpands the scope of NIS2-style reporting to Managed Service Providers. A 5.19 is the audit control used to verify MSP compliance.
EU AI ActArticle 16 & 28 (Provider Obligations)High-risk AI system providers must ensure their suppliers (data annotators, model hosts) follow strict quality and security protocols.
ISO/IEC 42001:2023Control 8.5 (AI Supply Chain)The AI Management System standard. It directly references A 5.19 for managing the unique risks of “AI as a Service” (AIaaS) vendors.
CIRCIA (USA)72-Hour Reporting RuleWhile focused on the incident, A 5.19 is where you contractually “hook” the supplier into the 72-hour reporting window required by US law.
EU PLD (Product Liability)Cybersecurity Flaw LiabilityExtends strict liability to software. A 5.19 becomes a “liability shield” for companies to ensure suppliers are accountable for flaws.
ECCF (EU Certification)Harmonised Security LabelsFuture state mapping where A 5.19 reviews will require suppliers to present an EU-wide harmonised security label for their products.
HIPAA (USA)§ 164.308(b) (Business Associates)Requires “Business Associate Agreements” (BAAs) to ensure third parties protect PHI (Protected Health Information).
CCPA / CPRA (California)§ 1798.140 (Service Providers)Requires written contracts that prohibit service providers from retaining, using, or disclosing personal information for any other purpose.

The Modern Supply Chain: Software Bill of Materials (SBOM)

In the 2022 update, the supply chain focus shifted heavily towards the technical stack. If you are a tech startup or an AI company, I will ask to see your Software Bill of Materials (SBOM). You cannot manage the risk of a supplier if you do not know which open source libraries or sub-components they are using.

Stuart’s Pro Tip: Do not just ask for an SBOM and file it away. You must prove you have reviewed it for known vulnerabilities (CVEs). An unreviewed SBOM is just a list; a reviewed SBOM is audit evidence.

The “Supplier Exit Strategy” (Annex A 5.19 & 5.22)

What happens if your critical Tier 1 supplier goes bankrupt or is hit by a massive ransomware attack? Most organizations have a process for onboarding but zero plan for Service Continuity. To pass the audit, you need a documented exit strategy for every Tier 1 supplier.

  • Data Portability: How do you get your data out in a machine readable format?
  • Transition Timelines: How long would it take to move to a competitor?
  • Contractual Teeth: Does your contract mandate the supplier assists in the “handover” to a new provider?

The “Big Tech” Trap: Handling AWS, Azure, and Google

I often hear people say: “We can’t audit AWS, so we just skip that part.” That is a fast track to a non conformity. You cannot audit them, but you can Assure them. For “Big Tech” suppliers where you have no leverage, your audit trail must include:

  1. SOC 2 Type II Reports: Do not just look at the bridge letter; look at the “Exceptions” section of the report.
  2. Shared Responsibility Model: You must document exactly which parts of security AWS handles and which parts you are responsible for (e.g., they secure the data center; you secure the S3 bucket).

Shadow IT: Finding the “Hidden” Suppliers

Your Supplier Register might look perfect, but if your Marketing team is using an unapproved AI tool to process customer data, your register is a lie. As an auditor, I will check your Cloud Access Security Broker (CASB) logs or your bank statements to see if there are SaaS subscriptions that are not on your register.

Compliance Action: Implement a “no-spend” rule. Procurement should not release funds for any software or service unless it has been signed off by the Security Officer and added to the Supplier Register.

N-Tier Visibility: Who is your Supplier’s Supplier?

Risk does not stop at your direct partner. If your payroll provider uses a sub-contractor for cloud hosting, you are at risk. You must mandate N-Tier Visibility in your contracts. This means your primary supplier must notify you if they change their own critical sub-contractors, as this fundamentally changes your risk profile.

Security SLAs (Beyond Uptime)

Most Service Level Agreements (SLAs) focus on “99.9% uptime.” For ISO 27001, I want to see Security SLAs. If a supplier finds a “Critical” vulnerability in their system that affects your data, how quickly are they contractually obligated to patch it? (e.g., within 48 hours).

The Supplier Risk Assessment Methodology

You have mentioned doing a risk assessment, but the auditor will ask: “How exactly do you calculate the risk score?” If you just say “it felt like a Tier 1,” you will get a non conformity. You need a documented methodology. This typically involves scoring two factors: Criticality (how bad is it if they go offline?) and Data Sensitivity (what happens if they lose the data?).

Compliance Action: Ensure your Supplier Register includes a column for the Date of the Last Risk Assessment and a link to the specific scoring logic used. If the risk environment changes—for example, a supplier moves their data center from the UK to a high risk jurisdiction—the score must be updated.

The Scoring Formula

We use a simple formula to determine the Supplier Risk Score. We look at the Data Sensitivity (what they hold) and the Operational Criticality (what happens if they stop working).

Risk Score = (Data Sensitivity Score + Operational Criticality Score)

1. Data Sensitivity (Score 1 to 5)

  • Score 1 (None): No access to organizational data (e.g., Office furniture supplier).
  • Score 3 (Internal): Access to non-sensitive internal documents or public-facing info.
  • Score 5 (Sensitive): Access to PII, Financial records, IP, or Customer production data.

2. Operational Criticality (Score 1 to 5)

  • Score 1 (Low): We can function for weeks without this service (e.g., Stationery).
  • Score 3 (Medium): Temporary disruption is annoying but manageable (e.g., Internal Slack).
  • Score 5 (High): Business stops immediately if they go down (e.g., Cloud Hosting, CRM).

Determining the Tier

Once you have your total score, you map it to your Supplier Tiers to determine the level of due diligence required:

Total Score Supplier Tier Mandatory Action
8 to 10 Tier 1 (Critical) Full Security Audit, ISO 27001 Cert check, and Exit Strategy.
5 to 7 Tier 2 (High) Standard Security Questionnaire and Right to Audit clause.
2 to 4 Tier 3 (Low) Basic verification or acceptance of generic Terms of Service.

The Reassessment Trigger

Risk is not static. Your methodology must include triggers for when a supplier needs to be re-scored. In my audits, I look for evidence that you re-evaluated a supplier because:

  • The supplier changed their sub-processors (N-Tier change).
  • The scope of the service expanded (e.g., they started as a consultant but now host your data).
  • The supplier suffered a public security breach.
  • It has been 12 months since the last review.

Stuart’s Pro Tip: Keep a record of the raw scores in your Supplier Register. If I ask why your Payroll provider is Tier 1, you should be able to show me the 5 for Data Sensitivity and the 5 for Criticality. It is simple, transparent, and impossible for an auditor to argue with.

Assuring Open Source Software (OSS)

ISO 27001 Annex A 5.19 applies to “supplier products.” In a modern tech stack, many of your “suppliers” are actually Open Source projects. You do not have a contract with the developers of a Python library, but you are still responsible for the security of that product. An auditor will check if you have a process for vetting Open Source before it is pulled into your production environment.

  • Vetting Tooling: Use Software Composition Analysis (SCA) tools to automatically check for vulnerabilities in Open Source components.
  • Approval Process: Developers should not be allowed to add new libraries to the codebase without a quick security check against known vulnerabilities.

The Communication Plan (Beyond Incidents)

Most people only think about talking to suppliers when things go wrong. Annex A 5.19 requires a defined communication path for all security matters. This includes who manages the relationship, who handles technical security queries, and who is responsible for verifying that the supplier is actually meeting their KPIs.

Stuart’s Pro Tip: Create a Supplier Contact Matrix. If your primary contact at a critical vendor leaves, who is your backup? If you cannot reach anyone during a security event because your only contact is an unmonitored “support@vendor.com” email address, you have failed the control.

Handling “Free” and “Freemium” Services

This is a massive audit trap. If your team uses a free version of a project management tool or a free AI translator, you likely have no formal contract and have never done a risk assessment. Because no money is changing hands, these suppliers often fly under the radar of Procurement. However, if company data is being uploaded, they are a supplier under Annex A 5.19.

Compliance Action: Your Supplier Policy must explicitly state that “Free” services are subject to the same vetting and approval process as paid services if they involve organizational data.

The Internal Audit of the Procurement Process

Finally, I want to see that you have audited your own procurement process. Does IT actually get a seat at the table before a contract is signed? Or are they just told to “set up the account” after the deal is already done? Proof of Early Involvement is the ultimate sign of a mature ISMS. Show the auditor a ticket where the Security Officer asked for a change to a contract before it was signed by the CEO.

The Supplier Security Questionnaire (SAQ) Logic

You have identified a Tier 1 supplier. Now you need to vet them. The mistake most people make is sending a 200-question spreadsheet to every vendor. This is a waste of time and leads to “survey fatigue.” Your vetting process should be modular.

Compliance Action: Create a “Core” set of questions for all vendors (e.g., Do you use MFA? Do you have an Incident Response plan?) and a “Technical” set for Tier 1 vendors (e.g., Show us your last penetration test summary or SOC 2 report). This proves to the auditor that your vetting is proportional to the risk.

Managing the Gap: The Supplier Corrective Action Plan

What happens if your perfect supplier fails a security check? If you hire them anyway without documentation, you have a major non conformity. In the real world, suppliers are rarely perfect. ISO 27001 Annex A 5.19 is about managing risk, not just avoiding it.

  • Risk Acceptance: If a supplier does not have MFA but is the only provider in the market, you must formally document a Risk Acceptance signed by your CISO or CEO.
  • Remediation Tracking: If a supplier promises to fix a security flaw within six months, you must track this. I want to see a “Corrective Action Plan” (CAP) where you followed up with the vendor to ensure they actually did what they said they would.

Physical Supplier Security: The “Server Room” Test

If you use a third party for physical data storage, backup tape offsite storage, or even a co-location data center, your vetting must include physical security. You cannot just check their firewall; you need to check their doors.

Audit Focus: For physical Tier 1 suppliers, your audit trail should include evidence of checking their access control logs, CCTV coverage, and visitor management procedures. If you cannot visit in person, you must review their Type II Physical Security Audit report.

The Procurement Veto: Closing the Loop

The biggest failing in supplier management is “Shadow Procurement,” where a department signs a contract before IT or Security even knows the vendor exists. To pass your audit, you need to prove that Security has a Veto Power or a formal seat at the “Sign-Off” table.

Stuart’s Pro Tip: Show the auditor your “New Supplier Onboarding” form. It should have a mandatory signature field for the Information Security Officer. If that signature is missing, the contract cannot be legally signed by the CEO. This is the ultimate proof of a functioning 5.19 control.

Supplier Assurance Rotation

Finally, do not let your evidence go stale. An ISO 27001 certificate expires. A SOC 2 report is only valid for a year. I have caught many organizations showing me an AWS ISO certificate that expired three years ago.

Compliance Action: Set a calendar reminder or use your Supplier Register to track “Assurance Expiry.” You must proactively ask your Tier 1 and Tier 2 suppliers for their new certificates every year. If you show me an expired certificate during an audit, it proves your “Ongoing Monitoring” (A 5.22) is not working.

The AI Transparency Requirement: Who is Training on Your Data?

The biggest risk with AI suppliers is “Data Leakage by Design.” Many AI providers use the data you upload to train their future models. This is a nightmare for confidentiality. To comply with Annex A 5.19, you must verify the data usage terms of every AI vendor.

  • Zero Retention Policies: For Tier 1 AI suppliers, you must contractually mandate that your data is excluded from their training sets.
  • Opt Out Evidence: I will ask to see the specific toggle or settings within the supplier portal that proves you have opted out of model training.

Vetting AI as a Service (AIaaS) Providers

If you are integrated with an AI provider via API, you are not just buying software; you are buying a model. You must vet the Model Governance of that supplier. An auditor will check if you have assessed the following:

  • Model Provenance: Where did the training data come from? Did the supplier have the legal right to use it?
  • Bias and Accuracy Monitoring: How does the supplier ensure the AI output is reliable and does not introduce risk to your business operations?
  • Rate Limiting and Availability: AI models are resource heavy. Does your supplier guarantee the API uptime needed for your critical processes?

Indirect AI Risk: Your Supplier’s AI

This is the “Hidden AI” trap. Your payroll provider might start using a third party AI tool to “optimize” their calculations. If that AI is insecure, your data is at risk even though you didn’t choose the AI tool. This is N Tier AI Risk.

Compliance Action: Your Supplier Security Questionnaire must now include a mandatory question: “Do you use Artificial Intelligence or Machine Learning to process our data, and if so, what security framework do you use to govern it (e.g., ISO 42001)?”

The EU AI Act and Regulatory Alignment

If you or your suppliers operate in the EU, you must align your Annex A 5.19 vetting with the EU AI Act. High risk AI systems have mandatory transparency and security requirements. Your audit trail should show that you have identified which of your suppliers fall under the “High Risk” category of the Act and that you have verified their compliance certificates.

AI Incident Response: The “Hallucination” Clause

A standard “Data Breach” clause is not enough for AI. You need to define what an “AI Incident” looks like with your supplier. If the AI provides dangerously incorrect information to your customers (a hallucination), is the supplier obligated to report that to you as a security event? In 2026, the answer must be yes.

ISO 42001: The New Gold Standard for AI Assurance

Just as you look for ISO 27001 for general security, you should now look for ISO 42001 (AI Management System) for your critical AI suppliers. If a supplier is ISO 42001 certified, it provides a massive level of assurance that they are managing AI risks like model bias, data privacy, and ethical use correctly. Documenting this in your Supplier Register makes the auditor’s life very easy.

The 2026 Auditor’s Favorite: The Climate Amendment

In 2024, ISO released an amendment (Amd 1:2024) that auditors are now strictly enforcing in 2026. You are now required to determine if climate change is a relevant issue for your supply chain. If your Tier 1 data center is in a flood zone or an area prone to wildfires, and you haven’t documented that risk in your Supplier Register, you have a gap.

Compliance Action: Add a column to your Supplier Register for Geographic or Environmental Risk. If a critical supplier is in a high risk climate zone, you must prove you have an alternative supplier in a different region to ensure Availability. This is not just about being green; it is about keeping the lights on when the weather turns.

Supply Chain Escrow: The Ultimate Plan B

You have an Exit Strategy, but what if the supplier vanishes overnight? If you rely on a niche SaaS provider for your core business logic and they go into liquidation, a data export won’t save you if the software itself is gone. For your most critical Tier 1 software suppliers, I want to see evidence of Source Code Escrow or Data Escrow.

  • Source Code Escrow: A third party holds the code. If the vendor fails, you get the keys to run it yourself.
  • Audit Evidence: Show me the signed Escrow Agreement and proof that the deposit was verified in the last 12 months. If you don’t have this for a critical dependency, you are carrying a massive unmitigated risk.

The Human Firewall: Supplier Awareness Training

You train your staff on security, but do you train the people who manage your suppliers? I often see security breaches where a person in a partner organization used social engineering on a local admin to get unauthorized access. ISO 27001 Annex A 5.19 requires that your staff who interact with suppliers are trained on the specific risks of those relationships.

Stuart’s Pro Tip: Your training logs should show that your Account Managers know how to spot a Supply Chain Compromise. They need to know that if a supplier suddenly asks to change their bank details via a PDF attachment, it is a red flag that requires out of band verification. The human is the weakest link in your supply chain.

Monitoring Beyond the Spreadsheet: Security KPIs

Most monitoring is just checking if an ISO certificate is still in date. That is the bare minimum. In 2026, I want to see Security Performance KPIs. If a supplier is Tier 1, you should be measuring them against technical benchmarks, not just uptime.

Security KPI Target Evidence Required
Patching Latency Criticals in less than 48 Hours Vulnerability scan summaries or Attestation letters.
MFA Coverage 100 percent of User Base Configuration screenshot from the supplier admin panel.
Incident Notification Within 4 Hours Evidence of Communication Tests or tabletop exercises.

The Open Source Dilemma: Suppliers You Cannot Contract

Many organizations forget that Open Source Software (OSS) is a supplier product under 5.19. You cannot get the developers of a Linux kernel to sign your DPA. In this case, your Supplier Management is actually Software Composition Analysis (SCA).

Compliance Action: For critical OSS components, your due diligence is documenting the health of the project. Is it actively maintained? Does it have a history of unpatched CVEs? If you use OSS for critical functions, your Supplier Register should link to your Vulnerability Management logs to prove you are monitoring that silent supplier.

ISO 27001 Annex A 5.19 FAQ

What is ISO 27001 Annex A 5.19?

ISO 27001 Annex A 5.19 is a governance control that requires organisations to establish and implement a formal policy to protect assets accessible by suppliers.

  • Mandates a formalised “Topic-Specific Policy on Supplier Relationships.”
  • Focuses on mitigating risks associated with third-party access to organisational data.
  • Requires clear security requirements to be defined before onboarding any vendor.
  • Ensures that security standards are maintained throughout the entire supplier lifecycle.

What is the main objective of Annex A 5.19?

The primary goal is to ensure that information security is maintained at the same standard when organisational assets are accessed or managed by third-party suppliers.

  • Prevents unauthorised access to sensitive data via weak link vendors.
  • Establishes accountability for security within the supply chain.
  • Provides a framework for consistent risk assessment of all external partners.
  • Aligns supplier activities with the organisation’s internal ISMS objectives.

What are the mandatory requirements for compliance with 5.19?

To satisfy ISO 27001 Annex A 5.19, an organisation must demonstrate a documented process for vetting, contracting, and managing suppliers.

  • Supplier Risk Assessment: Documented evidence of reviewing vendor security before signing.
  • Supplier Security Policy: A signed, topic-specific policy governing third-party behaviour.
  • Inventory of Suppliers: A formalised list of all vendors with access to organisational information.
  • Security Clauses: Explicit security requirements included in all legal service agreements.

How do you perform a supplier security risk assessment?

A supplier risk assessment is performed by evaluating a vendor’s security posture against your organisation’s risk appetite using questionnaires or audit reports.

  • Step 1: Determine the sensitivity of the data the supplier will access.
  • Step 2: Issue a Security Questionnaire (SAQ) or review SOC 2/ISO 27001 certificates.
  • Step 3: Identify gaps between vendor controls and your internal requirements.
  • Step 4: Implement compensatory controls or reject the supplier based on the risk score.

Is a “Right to Audit” clause required for Annex A 5.19?

Yes, while the specific terminology may vary, the organisation must have the legal right to monitor and review supplier security performance.

  • Allows for periodic onsite or remote security audits.
  • Mandates that suppliers provide independent audit reports (e.g., SOC 2 Type II).
  • Ensures the organisation can verify that security controls are functioning as promised.
  • Typically formalised within the Master Service Agreement (MSA) or a DPA.

How does Annex A 5.19 relate to the 2022 ISO 27001 update?

Annex A 5.19 in the 2022 update is a direct evolution of the previous Annex A 15.1.1, now categorised under “Organisational Controls.”

  • Consolidation: It streamlines the focus on the “Policy” layer of supplier management.
  • Hierarchy: It acts as the “Parent” control for subsequent controls like 5.20 and 5.21.
  • Scope: Explicitly emphasises “Topic-Specific” policies rather than generic statements.

What are the technical requirements for Annex A 5.19?

The technical implementation of Annex A 5.19 requires several specific controls to protect organisational assets. These include:

  • Identity and Access Management (IAM): Provisioning roles based on the Principle of Least Privilege.
  • Multi-Factor Authentication (MFA): Enforcing hardware or app-based MFA for all third-party remote access.
  • Asset Register: Documentation of all suppliers and the specific data sets they process.
  • Encryption: Mandating AES-256 encryption for data at rest and TLS 1.3 for data in transit.

How does Annex A 5.19 relate to DORA and NIS2?

Annex A 5.19 provides the operational framework required to satisfy the “Third-Party Risk” pillars of DORA and NIS2. While DORA mandates strict contractual clauses for financial ICT providers, A 5.19 supplies the audit evidence and risk assessment methodology needed to prove compliance with these regulatory frameworks.

What is the cost of ignoring supplier security controls?

Failure to implement supplier controls can result in fines exceeding £17.5 million or 4% of global turnover under the UK Data (Use and Access) Act 2025. Beyond regulatory penalties, the average cost of a third-party data breach in 2026 is estimated at £3.8 million, factoring in remediation and reputational damage.

Related ISO 27001 ControlRelationship Description
How to Implement ISO 27001 Annex A 5.19This is the technical operational guide for the 5.19 control, providing the step-by-step manual instructions required to move from high-level policy to actual implementation in the field.
ISO 27001 Annex A 5.19 Audit ChecklistThis page provides the specific verification criteria I use during an audit to validate that your supplier management processes are functioning as intended and producing the necessary evidence.
Information Security in Supplier Relationships GlossaryThis is the foundational definition of the 5.19 control, serving as a semantic anchor for AI parsers to understand the core terminology and intent behind supply chain security.
ISO 27001 Annex A 5.20 Supplier AgreementsWhile 5.19 sets the policy, 5.20 is where we get the contractual teeth: this related control focuses on the legally binding agreements that force your suppliers to actually follow your security rules.
ISO 27001 Annex A 5.21 ICT Supply ChainThis control extends the 5.19 relationship management into the technical deep-end, specifically focusing on the hardware, software, and services that make up your information and communications technology stack.
ISO 27001 Annex A 5.22 Monitoring and ReviewThe 5.22 control is the ongoing “vigilance” layer for 5.19, ensuring that once you have set the policy and signed the contract, you are actually watching the supplier’s performance on a continuous basis.
ISO 27001 Annex A 5.23 Cloud ServicesAs a specialised subset of supplier management, 5.23 takes the general principles of 5.19 and applies them specifically to the unique shared responsibility models of SaaS, PaaS, and IaaS providers.

ISO 27001 Supplier Security Policy Beginner’s Guide

ISO 27001: The Importance Of Third-Party Supplier Security Management

ISO 27001 controls and attribute values

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveConfidentialityIdentifySupplier relationships securityProtection
AvailabilityGovernance and ecosystem
Integrity
, , , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top