ISO 27001 Supplier Register: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Supplier Register: Ultimate Guide

Supplier Register

In this ultimate guide to the ISO 27001 Supplier Register you will learn

  • What is an ISO 27001 Supplier Register
  • How to implement an ISO 27001 Supplier Register

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is a supplier register?

A supplier register is a record of all of your supplier and third parties. It captures some key information about the supplier. It is used to manage your suppliers.

What is an ISO 27001 Supplier Register?

The ISO 27001 Supplier Register is a list of all of the suppliers that we have that store, process or transmit data.

The ISO 27001 supplier register focuses on the suppliers and third parties that provide products or services that are specific to the ISO 27001 Scope. In addition to the normal supplier register details it also captures evidence that information security controls are in place.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Why is the ISO 27001 Supplier Register Important?

Suppliers represent the biggest risk to our organisation in terms of information security.

Suppliers provide us with valuable products, services and resources but they are outside of our control.

We trust them with our most valuable information. We trust them to do the right thing. We trust them with our customers and clients information.

We can protect what we control. We do not control our suppliers.

This is where effective third party supplier management comes in.

The Third Party Supplier Policy sets our how we manage the risk associated with our suppliers.

The Third Party Supplier Register is the tool we use to actively manage them.

To understand more about why an ISO 27001 Supplier Register is important, read ISO 27001: The Importance Of Third-Party Supplier Security Management.

Managing Suppliers with the Supplier Register

For suppliers we are looking to seek a level of assurance they are doing the right thing for information security.

The easiest way to achieve this is to check that we have an up to date and in date:

  • contract that includes clauses for information security and data protection.
  • industry level certification that covers the products and / or services we are buying such as an ISO 27001 certification can provide us with adequate assurance.

The contract and the industry certification is noted and recorded in the supplier register.

We also record what they do for us and how reliant upon them we are.

The ISO 27001 Supplier Register captures key information about the supplier and is used to manage the supplier reviews and supplier assurance processes.

This will lead to how we manage them.

We will know

  • Who our suppliers are
  • What the do for us
  • If we have a contract
  • If they have information security certificates
  • What data we share with them
  • When we last reviewed them and when we will next review them

ISO 27001 Supplier Register Example

The following is an example of an ISO 27001 supplier register.

ISO27001 Supplier Register Template PDF Example

Third Party Supplier Assurance

The level of assurance we require is based on risk management.

Risk is determined by a number of factors including how critical they are to our operation and how much confidence we can evidence that they are doing the right thing for information security.

It may be we add them to the risk register and manage them via risk management.

ISO27001 Risk Register Example

As part of our assurance we make sure that every supplier in the register should be reviewed at least annually.

We cover how the supplier fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.

The exact process is include in the Ultimate ISO 27001 Toolkit as one of the may step-by-step, how to, implementaton guides.

ISO 27001 Supplier Templates

These ISO 27001 Templates are part of the ISO 27001 Toolkit and can be downloaded individually as part of your supplier management.

ISO 27001 templates are a great way to fast track you implementation based on global best practice.

ISO27001 Third Party Supplier Policy Template
ISO27001 Third Party Supplier Register Template

Watch the ISO 27001 Supplier Register Tutorial

Watch How to create a Third Party Supplier Register in under 5 minutes

In this tutorial video I show you how to create a supplier register / third party register in around 5 minutes. Supplier management is a foundation of data security and many industry certifications including GDPR, ISO 27001, PCI DSS, SOC and a host of others. Supplier management doesn’t have to be hard and it really is easy to create a basic functioning supplier register from scratch.

ISO 27001 Requirements for an ISO 27001 Supplier Register

ISO 27001 has a requirement that you have effectively manage your third party suppliers and ensure the security of the supply chain. The IS 27001 standard includes an annex called Annex A. Annex A is also a standard in its own right called ISO 27002. ISO 27001 Annex A/ ISO 27002 is a list of ISO 27001 controls that the organisation must implement and supplier management is one of those. The ISO 27001 Annex A / ISO 27002 changed in 2022. Here is what ISO 27001 Annex A has to say about supplier management and the supplier register.

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

ISO27001:2022 Annex A 5.19 Information Security In Supplier Relationships

Here the role of the ISO 27001 supplier register is to identify and record the risks associated with the supplier. It captures a risk score that is used as part of risk management.

ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

ISO27001:2022 Annex A 5.20 Addressing Information Security in Supplier Agreements

In the ISO 27001 supplier register we record whether we have a contract that covers the products or services that we are buying. To implement this we would also have a local copy of the contract that we could get access to and we would check that the contract the contract includes information security requirements. We always want to have an in date contract that meets the requirements of this clause before we go for ISO 27001 certification audit.

ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

ISO27001:2022 Annex A 5.21 Managing Information Security in the ICT Supply Chain

To apply to processes and procedures we need list of the suppliers.

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

ISO27001:2022 Annex A 5.22 Monitoring, review and change management of supplier services

There are many types of review that can be performed on our suppliers. As a minimum our review would include that we have a relevant, in date contract with appropriate clauses and that we have insurance for information security practices which usually means we have an in date copy of an appropriate information security certificate, such as an ISO 27001 certificate, that covers the products or services that we have bought. These reviews are captured and recorded in the ISO 27001 supplier register.

Stuart - High Table - ISO27001 Ninja - 3

ISO 27001 Supplier Register FAQ

What is the third party supplier risk assessment checklist?

Suppliers are risk assessed relative to what they do for you and how critical they are to you. You will assess that you have a current, in date contract, that includes the products and services you are buying. You will assess the level of assurance that you have that the supplier is doing the right thing for information security and this usually means that they have relevant in date certifications that cover the products and services that you are buying. You would use this third party risk assessment checklist and record it in the third party supplier register.

Where can I get a vendor database template in Excel?

A trusted vendor database template can be downloaded from High Table: The ISO 27001 Company

Where can I get a vendor list template in Word?

Word is not the best tool for recording a list of vendors. A trusted Excel vendor database template can be downloaded from High Table: The ISO 27001 Company.

Where can I get an approved supplier list template?

An approved supplier list template can be can be downloaded from High Table: The ISO 27001 Company.

What is a supplier register?

A supplier register is a list of all of your suppliers. It is ranked on how critical the supplier is to your business and it tracks key information such as if you have a relevant contract with them and the level of assurances that you have for information security.

What is the best format for a supplier register?

The best format for a supplier register is a spreadsheet. Microsoft Excel is more than adequate.

Do I need a supplier register for ISO 27001?

Yes. Supplier management and security of the supply chain is a key requirement of information security. After employees, suppliers represent your biggest security risk.

How often do you review third party suppliers?

At least annually and based on risk. If the supplier represents a significant risk then consider quarterly reviews.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing