ISO 27001:2022 Annex A 5.19 Information security in supplier relationships

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.19 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.19 Information Security in Supplier Relationships

ISO 27001 Annex A 5.19 requires organizations to define and implement processes to manage information security risks associated with the use of supplier products or services. Suppliers often represent your greatest “blind spot”; they hold your data and maintain your systems, yet you cannot directly manage their internal security. This control ensures that you maintain an agreed-upon level of security throughout the Supply Chain, from initial vetting to the termination of the contract.

Core requirements for compliance include:

Supplier Vetting & Due Diligence: Before signing a contract, you must evaluate a supplier’s security posture. This is typically done through security questionnaires or by verifying their ISO 27001 Certification.
Risk-Based Tiering: Not all suppliers are equal. You should categorize suppliers into “Tiers” based on the sensitivity of the data they handle or their criticality to your operations.
Contractual Binding: Security requirements must be legally enforceable. This includes “Right to Audit” clauses, data protection terms (GDPR), and incident notification timelines.
The Supplier Register: You must maintain a central inventory of all third-party suppliers, their contact details, and their current security status.
Access Management: You must define how suppliers access your systems, ensuring they only have the minimum access required (Least Privilege) and that this access is revoked immediately when the project ends.
Ongoing Monitoring: Supplier security is not a “one-off” check. You must periodically review critical suppliers to ensure they haven’t allowed their certifications to lapse or their security standards to drift.

Audit Focus: Auditors will look for “The Supply Chain Paper Trail”:

Direct Evidence of Vetting: “Show me the security assessment for your cloud hosting provider or your payroll company. How did you verify they were secure?”
Contractual Review: “Does your contract with your external IT support include a clause about notifying you of a data breach within a specific timeframe?”
Tiering Logic: “Show me your Supplier Tiering Matrix. Why is your stationery supplier categorized differently than your SaaS CRM provider?”

Supplier Tiering Matrix (Audit Prep):

Supplier Tier	Definition	Example	Required Due Diligence	ISO 27001:2022 Control
Tier 1 (Critical)	Holds PII or critical to uptime.	AWS, Azure, Payroll.	ISO 27001 Cert + Deep Audit.	Annex A 5.19 / 5.23
Tier 2 (High)	Has system access, no PII.	IT Support, Dev Agency.	Security Questionnaire.	Annex A 5.19 / 5.21
Tier 3 (Low)	No access to systems/data.	Office Snacks, Furniture.	None / Basic ID Checks.	Annex A 5.19

What is ISO 27001 Annex A 5.19?
Watch the ISO 27001 Annex A 5.19 Tutorial
ISO 27001 Annex A 5.19 Podcast
ISO 27001 Annex A 5.19 Implementation Guidance
How to implement ISO 27001 Annex A 5.19
Supplier Tiering Example
ISO 27001 Supplier Register Template
ISO 27001 Supplier Policy Template
How to comply
How to pass the ISO 27001 Annex A 5.19 audit
What the auditor will check
Top 3 ISO 27001 Annex A 5.19 Mistakes People Make and How to Avoid Them
Applicability of ISO 27001 Annex A 5.19 across different business models.
Fast Track ISO 27001 Annex A 5.19 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.19 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 controls and attribute values

What is ISO 27001 Annex A 5.19?

ISO 27001 Annex A 5.19 is about information security in supplier relationships which means you must secure your supply chain and manage the security risks that come from using third party suppliers.

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships is an ISO 27001 control that requires an organisation to mange the information security risks of using supplier products and services.

It is about securing the supply chain.

Suppliers represent one of your biggest risks as you cannot directly manage them or influence them and it is likely you rely on them, they have your data and provide services that you need to be successful.

ISO 27001 Annex A 5.19 Purpose

The purpose of ISO 27001 Annex A 5.19 is a preventive control that ensures you maintain an agreed level of information security in supplier relationships.

ISO 27001 Annex A 5.19 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.19 as:

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
ISO 27001:2022 Annex A 5.19 Information Security In Supplier Relationships

Watch the ISO 27001 Annex A 5.19 Tutorial

In the video ISO 27001 Information Security In Supplier Relationships Explained – ISO27001:2022 Annex A 5.19 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.19 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.19 Information Security In Supplier Relationships. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.19 Implementation Guidance

We are going to rely on a couple of mechanism to ensure Information Security In Supplier Relationships.

Topic Specific Policy

The standard requires a topic specific policy on supplier relationships – ISO 27001 Supplier Policy Template

Supplier Management Process

You will need a supplier management process that sets out

how to identify and document suppliers and supplier types
evaluating suppliers according to information process, transmitted or shared
reviewing the controls that are in place
documenting what suppliers can access, monitor, control and use
assessing and managing supplier risks
monitoring and ensuring compliance to information security
implementing mitigation for non compliance of a supplier
the handling of incidents
availability, business continuity and disaster recovery
managing the transfer of information
the process for terminating and ending a supplier / supplier relationship
what level of security of people and physical security are expected

ISO 27001 Supplier Register

The best way to manage ISO 27001 Suppliers is via the ISO 27001 Supplier Register. You can learn more in the ISO 27001 Supplier Register Beginner’s Guide

Supplier Agreements / Contracts

The number one recommendation is to seek professional legal counsel for the provision of all contracts. The following is guidance but you should always defer to professional legal counsel. Always. You are not a lawyer. We are not a lawyer.

Our first line of defence and go to is the supplier agreement or supplier contract. At its core it is a legal mechanism that is legally binding and provides the greatest level of overall protection.

It sets out what is required, what will be done, who will do it, what happens if things go wrong.
What information is to be provided, accessed and the methods of access.
Legal, regulatory and contractual requirements. Elements such as intellectual property rights, copyright information, data protection requirements.
The controls and levels of controls that are required by both parties to the agreement.
Acceptable and unacceptable use of assets.
How to grant and remove access
Penalties, indemnities and remediation for failings to meet the contract.
Contact information
Screening requirements for staff were legally enforceable.
How evidence and assurance of information security will be provided
Rights to audit
How to solve problems or conflicts with the contract
Appropriate back up, business continuity and disaster recovery
The process for change management
Physical security as appropriate
Information transfer processes
Termination clauses and processes
Destruction and removal of data processes
Handover at the end of the contract

Contracts are kept and recorded in the Third Party Supplier Register. They are reviewed at least annually, based on risk and significant change or event.

How to implement ISO 27001 Annex A 5.19

Implementing ISO 27001 Annex A 5.19 requires a systematic approach to governing third-party access and ensuring that external partners adhere to your organisation’s security standards. By formalising the supplier lifecycle from initial vetting to decommissioning, you mitigate the risk of supply chain vulnerabilities and data breaches. This guide outlines the action-orientated steps necessary to establish a compliant and technically robust supplier relationship framework.

1. Formalise the Topic-Specific Policy on Supplier Relationships

Establish a documented policy that mandates the security requirements for all third-party entities accessing organisational assets. This action results in a standardised governance layer that dictates how every vendor must be managed throughout the partnership.

Define clear security criteria for selecting and onboarding new suppliers based on data sensitivity.
Specify the mandatory technical controls suppliers must maintain, such as Multi-Factor Authentication (MFA) and data encryption.
Identify different supplier categories (e.g. Critical, High, Low risk) to ensure proportional security oversight.

2. Provision a Technical Supplier Risk Assessment Process

Execute a rigorous vetting process for every potential supplier before any legal agreements are signed. This result-focused step identifies security gaps in the provider’s environment that could expose your organisation to cascading risks.

Utilise specialised Security Assessment Questionnaires (SAQ) to evaluate the vendor’s internal control environment.
Verify the validity and scope of independent audit reports such as ISO 27001 certificates or SOC 2 Type II reports.
Review the supplier’s software development lifecycle (SDLC) and patch management protocols for technology-based services.

3. Formalise Security Clauses in Legal Agreements

Embed specific, legally binding security requirements into Master Service Agreements (MSA) or Data Processing Agreements (DPA). This action ensures that security expectations are enforceable and that suppliers are held accountable for breaches.

Include “Right to Audit” clauses that allow your organisation to conduct periodic security reviews or onsite inspections.
Mandate strict incident notification timeframes to ensure compliance with regulatory windows such as the 72 hour GDPR limit.
Specify the technical requirements for secure data return or certified destruction upon contract termination.

4. Implement Managed Access and IAM Role Restrictions

Apply the Principle of Least Privilege (PoLP) to all supplier accounts accessing internal networks or cloud environments. This technical intervention limits the lateral movement of a potential attacker in the event of a supplier credential compromise.

Provision unique, time-limited IAM roles for supplier personnel rather than using generic shared accounts.
Enforce hardware-based MFA for all administrative access to production systems by third-party contractors.
Establish Rules of Engagement (ROE) documents that define the boundaries of technical support and remote maintenance.

5. Execute Continuous Supplier Monitoring and Performance Reviews

Establish a recurring review cycle to monitor the supplier’s ongoing compliance with agreed security standards. This results in a dynamic risk management approach that accounts for changes in the supplier’s technology or business structure.

Perform annual reviews of updated security certificates and audit findings for all critical-tier suppliers.
Monitor service level agreements (SLAs) to ensure security-related performance targets are consistently met.
Maintain a centralised Supplier Register that tracks the current risk status and contract expiry for all vendors.

6. Revoke Access and Decommission Supplier Assets

Formalise a structured offboarding process to ensure all organisational access is terminated immediately upon the end of a relationship. This action prevents “orphan accounts” and data residue from remaining in external environments.

Validate the immediate deactivation of all VPN tokens, physical badges, and cloud-based IAM credentials.
Obtain formal certificates of data destruction or evidence of secure data porting from the supplier.
Update the internal asset register to reflect the return or decommissioning of hardware provided to the supplier.

Supplier Tiering Example

Tier	Definition	Example	Due Diligence Required
Tier 1 (Critical)	Holds sensitive data (PII) or critical to uptime.	AWS, Payroll Provider.	ISO 27001 Cert + Deep Audit.
Tier 2 (High)	Access to internal systems but no sensitive data.	IT Support Agency.	Security Questionnaire.
Tier 3 (Low)	No access to systems/data.	Stationary Supplier.	None / Basic Checks.

ISO 27001 Supplier Register Template

The ultimate ISO 27001 Supplier Register Template.

ISO27001 Third Party Supplier Register - ISO 27001 Annex A 5.19 Template

ISO 27001 Supplier Policy Template

The ultimate ISO 27001 Supplier Register Template.

ISO27001 Third Party Supplier Policy - ISO 27001 Annex A 5.19 Template

How to comply

To comply with ISO 27001 Annex A 5.19 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to

Implement a topic specific policy
Implement an supplier management process
Implement an ISO 27001 supplier register

How to pass the ISO 27001 Annex A 5.19 audit

To pass an audit of ISO 27001 Annex A 5.19 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What the auditor will check

The audit is going to check a number of areas. Lets go through the most common

1. That you have a supplier management process

The auditor is going to check the rules, procedures and supplier management methodology and make sure you followed them. Make sure all suppliers are listed, you have contracts or agreements or terms for each supplier and that you have assurance they are doing the right thing for information security.

2. That you have an ISO 27001 Supplier Register

You will need an ISO 27001 Supplier Register to record and manage your suppliers. Make sure it is up to date and reflects your reality.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match.

Top 3 ISO 27001 Annex A 5.19 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.19 are

1. You have no contracts or legal terms with a supplier

Make sure that there is a contract, agreement, terms of business or some legal mechanism for engaging with suppliers and you have a copy, it is in date and covers what you are using.

2. You have no assurance they are doing the right thing for information security

Make sure you have done your security assessment and can place your hands on an in date certificate such as an ISO 27001 Certification for assurance they are doing the right thing. It needs to be in date a cover the products and / or services you have acquired and are using form the supplier.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.19 across different business models.

Business Type	Applicability & Interpretation	Examples of Control
Small Businesses	The “Tiering” Logic. You don’t need a complex procurement team. Compliance means having a list (Register) that separates critical data handlers (e.g., your Accountant) from non-risky vendors (e.g., Office Cleaners).	• Supplier Register: A simple Excel sheet listing all vendors, categorized as “Critical” or “Non-Critical.” • Basic Checks: Verifying that your IT support provider uses 2FA before you hire them.
Tech Startups	Onboarding Gates. The focus is on preventing “Shadow IT.” You need a policy that says employees cannot sign up for new SaaS tools without a quick security check.	• Vendor Risk Assessment (VRA): Sending a lightweight security questionnaire to new SaaS vendors before signing the contract. • Policy Enforcement: A “Procurement Policy” stating that no company credit card can be used for software without CTO approval.
AI Companies	Data Ethics & Privacy. Supplier selection isn’t just about security; it’s about data rights. You must vet whether a supplier (e.g., a data labelling firm) has adequate privacy controls to handle your training sets.	• Due Diligence: Specifically checking if data annotation vendors conduct background checks on their staff. • Ethical Sourcing: Ensuring your “Supplier Policy” mandates that data providers have valid consent for the datasets they sell you.

Applicability of ISO 27001 Annex A 5.19 across different business models.

Fast Track ISO 27001 Annex A 5.19 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.19 (Information security in supplier relationships), the requirement is to define and implement processes to manage the information security risks associated with third-party products and services. Since suppliers represent one of your largest risks (you rely on them but cannot directly control them), securing this part of your supply chain is critical.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Data Ownership	Rents access to your supplier history; if you cancel the subscription, your documented due diligence logs and risk assessments vanish.	Permanent Assets: Fully editable Word/Excel Supplier Registers and Policies that you own and host forever.	A localized “Supplier Register” stored on your secure drive containing historical ISO certificates and audit reports.
Procurement Utility	Attempts to “automate” risk via generic portals that cannot conduct nuanced evaluations of niche or critical suppliers.	Governance-First: Provides the framework to formalize your existing procurement work into an auditor-ready system.	A completed “Supplier Tiering Matrix” proving that high-risk vendors (e.g., Cloud Hosting) undergo stricter vetting.
Cost Efficiency	Charges a “Vendor Count Tax” that scales costs aggressively as your supply chain and third-party integrations grow.	One-Off Fee: A single payment covers your supplier governance for 5 vendors or 500.	Allocating budget to actual security improvements rather than monthly “third-party risk” dashboard fees.
Strategic Freedom	Mandates rigid questionnaire formats and scoring workflows that may not align with your specific industry or lean model.	100% Agnostic: Procedures adapt to your workflow—from simple certificate checks to deep-dive technical audits.	The ability to evolve your procurement strategy and risk-scoring criteria without reconfiguring a rigid SaaS module.

While SaaS compliance platforms often try to sell you “automated vendor risk assessments” or complex “due diligence portals,” they cannot actually conduct a meaningful risk evaluation of a niche supplier or negotiate a security clause into a contract, those are human governance and procurement tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the supplier framework you need to manage your supply chain effectively without a recurring subscription fee.

1. Ownership: You Own Your Supplier Register Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your supplier tiers and store your due diligence logs inside their proprietary system, you are essentially renting your own supply chain history.

The Toolkit Advantage: You receive the Third-Party Supplier Policy and Supplier Register Template in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your records (such as AWS ISO certificates or payroll provider audits), ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Procurement

Annex A 5.19 is about managing risks. You don’t need a complex new software interface to record that AWS is a “Tier 1” critical supplier.

The Toolkit Advantage: Your team already uses tools like email or simple ticketing systems to talk to vendors. What they need is the governance layer to prove to an auditor that these vendors are categorized, risk-assessed, and reviewed. The Toolkit provides pre-written procedures and “Supplier Tiering Matrices” that formalize your existing procurement work into an auditor-ready framework, without forcing your team to learn a new software platform just to log a vendor.

3. Cost: A One-Off Fee vs. The “Vendor Count” Tax

Many compliance SaaS platforms charge more based on the number of “vendors” or “third-party questionnaires” you process. For a control that applies to every single supplier in your company, these monthly costs can scale aggressively.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you manage 5 suppliers or 500, the cost of your Supplier Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your Procurement Strategy

SaaS tools often mandate specific questionnaire formats or rigid risk-scoring workflows. If their system doesn’t match your lean business model or specialized industry requirements, the tool becomes a bottleneck.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Supplier Procedures to match exactly how you operate, whether you use a deep-dive technical audit or just a simple certificate check for low-risk vendors. You maintain total freedom to evolve your procurement strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For Annex A 5.19, the auditor wants to see that you have a formal process for managing supplier risk and an up-to-date register of your third parties. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.19 FAQ

What is ISO 27001 Annex A 5.19?

ISO 27001 Annex A 5.19 is a governance control that requires organisations to establish and implement a formal policy to protect assets accessible by suppliers.

Mandates a formalised “Topic-Specific Policy on Supplier Relationships.”
Focuses on mitigating risks associated with third-party access to organisational data.
Requires clear security requirements to be defined before onboarding any vendor.
Ensures that security standards are maintained throughout the entire supplier lifecycle.

What is the main objective of Annex A 5.19?

The primary goal is to ensure that information security is maintained at the same standard when organisational assets are accessed or managed by third-party suppliers.

Prevents unauthorised access to sensitive data via weak link vendors.
Establishes accountability for security within the supply chain.
Provides a framework for consistent risk assessment of all external partners.
Aligns supplier activities with the organisation’s internal ISMS objectives.

What are the mandatory requirements for compliance with 5.19?

To satisfy ISO 27001 Annex A 5.19, an organisation must demonstrate a documented process for vetting, contracting, and managing suppliers.

Supplier Risk Assessment: Documented evidence of reviewing vendor security before signing.
Supplier Security Policy: A signed, topic-specific policy governing third-party behaviour.
Inventory of Suppliers: A formalised list of all vendors with access to organisational information.
Security Clauses: Explicit security requirements included in all legal service agreements.

How do you perform a supplier security risk assessment?

A supplier risk assessment is performed by evaluating a vendor’s security posture against your organisation’s risk appetite using questionnaires or audit reports.

Step 1: Determine the sensitivity of the data the supplier will access.
Step 2: Issue a Security Questionnaire (SAQ) or review SOC 2/ISO 27001 certificates.
Step 3: Identify gaps between vendor controls and your internal requirements.
Step 4: Implement compensatory controls or reject the supplier based on the risk score.

Is a “Right to Audit” clause required for Annex A 5.19?

Yes, while the specific terminology may vary, the organisation must have the legal right to monitor and review supplier security performance.

Allows for periodic onsite or remote security audits.
Mandates that suppliers provide independent audit reports (e.g., SOC 2 Type II).
Ensures the organisation can verify that security controls are functioning as promised.
Typically formalised within the Master Service Agreement (MSA) or a DPA.

How does Annex A 5.19 relate to the 2022 ISO 27001 update?

Annex A 5.19 in the 2022 update is a direct evolution of the previous Annex A 15.1.1, now categorised under “Organisational Controls.”

Consolidation: It streamlines the focus on the “Policy” layer of supplier management.
Hierarchy: It acts as the “Parent” control for subsequent controls like 5.20 and 5.21.
Scope: Explicitly emphasises “Topic-Specific” policies rather than generic statements.

ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements

ISO 27001 controls and attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Confidentiality	Identify	Supplier relationships security	Protection
	Availability			Governance and ecosystem
	Integrity

Availability, Confidentiality, Governance and Ecosystem, Identify, Integrity, Preventive, Protection, Supplier Relationships Security

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.19?

ISO 27001 Annex A 5.19 Purpose

ISO 27001 Annex A 5.19 Definition

Watch the ISO 27001 Annex A 5.19 Tutorial

ISO 27001 Annex A 5.19 Podcast

ISO 27001 Annex A 5.19 Implementation Guidance

Topic Specific Policy

Supplier Management Process

ISO 27001 Supplier Register

Supplier Agreements / Contracts

How to implement ISO 27001 Annex A 5.19

1. Formalise the Topic-Specific Policy on Supplier Relationships

2. Provision a Technical Supplier Risk Assessment Process

3. Formalise Security Clauses in Legal Agreements

4. Implement Managed Access and IAM Role Restrictions

5. Execute Continuous Supplier Monitoring and Performance Reviews

6. Revoke Access and Decommission Supplier Assets

Supplier Tiering Example

ISO 27001 Supplier Register Template

ISO 27001 Supplier Policy Template

How to comply

How to pass the ISO 27001 Annex A 5.19 audit

What the auditor will check

1. That you have a supplier management process

2. That you have an ISO 27001 Supplier Register

3. Documentation

Top 3 ISO 27001 Annex A 5.19 Mistakes People Make and How to Avoid Them

1. You have no contracts or legal terms with a supplier

2. You have no assurance they are doing the right thing for information security

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 5.19 across different business models.

Fast Track ISO 27001 Annex A 5.19 Compliance with the ISO 27001 Toolkit

1. Ownership: You Own Your Supplier Register Forever

2. Simplicity: Governance for Real-World Procurement

3. Cost: A One-Off Fee vs. The “Vendor Count” Tax

4. Freedom: No Vendor Lock-In for Your Procurement Strategy

ISO 27001 Annex A 5.19 FAQ

What is ISO 27001 Annex A 5.19?

What is the main objective of Annex A 5.19?

What are the mandatory requirements for compliance with 5.19?

How do you perform a supplier security risk assessment?

Is a “Right to Audit” clause required for Annex A 5.19?

How does Annex A 5.19 relate to the 2022 ISO 27001 update?

Related ISO 27001 Controls

Further Reading

ISO 27001 controls and attribute values

Stuart Barker