ISO 27002:2022, Control 5.19 – Information Security in Supplier Relationships

ISO 27002:2022 Revised Controls

Book a demo

corporate,business,team,and,manager,in,a,meeting

Purpose of Control 5.19

Control 5.19 concerns itself with an organisation’s obligation to ensure that, when using supplier-side products and services (including cloud service providers), adequate consideration is given to the level of risk inherent in using external systems, and the consequential impact that may have on their own information security adherence.

5.19 is a preventative control that modifies risk by maintaining procedures that address inherent security risks associated with the use of products and services provided by third parties.

Whereas Control 5.20 deals with information security within supplier agreements, Control 5.19 is broadly concerned with adherence throughout the course of the relationship.

Attributes Table of Control 5.19

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventative#Confidentiality #Integrity #Availability#Identify#Supplier Relationships Security#Governance and Ecosystem #Protection
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Perry Bowles
Technical Director ZIPTECH
100% of our users pass certification first time
Book your demo

Ownership of Control 5.19

Whilst Control 5.19 contains a lot of guidance on the use of ICT services, the broader scope of the control encompasses many other aspects of an organisation’s relationship with its supplier base, including supplier types, logistics, utilities, financial services and infrastructure components).

As such, ownership of Control 5.19 should rest with a member of senior management that oversees an organisation’s commercial operation, and maintains a direct relationship with an organisation’s suppliers, such as a Chief Operating Officer.

General Guidance

Compliance with Control 5.19 involves adhering to what’s known as a ‘topic-specific’ approach to information security in supplier relationships.

Topic-specific approaches encourage organisations to create supplier-related policies that are tailored towards individual business functions, rather than adhering to a blanket supplier management policy that applies to any and all third party relationships across an organisation’s commercial operation.

It’s important to note that Control 5.19 asks the organisation to implement policies and procedures that not only govern the organisation’s use of supplier resources and cloud platforms, but also form the basis of how they expect their suppliers to conduct themselves prior to and throughout the term of the commercial relationship.

As such, Control 5.19 can be viewed as the essential qualifying document that dictates how information security governance is handled over the course of a supplier contract.

Control 5.19 contains 14 main guidance points to be adhered to:

1) Maintain an accurate record of supplier types (e.g. financial services, ICT hardware, telephony) that have the potential to affect information security integrity.

Compliance – Draft a list of any and all suppliers that your organisation works with, categorise them according to their business function and add categories to said supplier types as and when required.

2) Understand how to vet suppliers, based on the level of risk inherent for their supplier type.

Compliance – Different supplier types will require different due diligence checks. Consider using vetting methods on a supplier-by-supplier basis (e.g. industry references, financial statements, onsite assessments, sector-specific certifications such as Microsoft Partnerships).

3) Identify suppliers that have pre-existing information security controls in place.

Compliance – Ask to see copies of suppliers’ relevant information security governance procedures, in order to evaluate the risk to your own organisation. If they don’t have any, it’s not a good sign.

4) Identify and define the specific areas of your organisation’s ICT infrastructure that your suppliers will be able to either access, monitor or make use of themselves.

Compliance – It’s important to establish from the outset precisely how your suppliers are going to interact with your ICT assets – be they physical or virtual – and what levels of access they’re granted in accordance with their contractual obligations.

5) Define how the suppliers’ own ICT infrastructure can impact upon your own data, and that of your customers.

Compliance – An organisation’s first obligation is to its own set of information security standards. Supplier ICT assets need to be reviewed in accordance with their potential to affect uptime and integrity throughout your organisation.

6) Identify and manage the various information security risks attached to:

a. Supplier use of confidential information or protected assets (e.g. limited to malicious use and/or criminal intent).

b. Faulty supplier hardware or malfunctioning software platform associated with on-premise or cloud based services.

Compliance – Organisations need to be continually mindful of the information security risks associated with catastrophic events, such as nefarious supplier-side user activity or major unforeseen software incidents, and their impact on organisational information security.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

General Guidance Continued

7) Monitor information security compliance on a topic specific or supplier type basis.

Compliance – Organisation’s need to appreciate the information security implications inherent within each supplier type, and adjust their monitoring activity to accommodate varying levels of risk.

8) Limit the amount of damage and/or disruption caused through non-compliance.

Compliance – Supplier activity should be monitored in an appropriate manner, and to varying degrees, in accordance with its risk level. Where non-compliance is discovered, either proactively or reactively, immediate action should be taken.

9) Maintain a robust incident management procedure that addresses a reasonable amount of contingencies.

Compliance – Organisations should understand precisely how to react when faced with a broad range of events relating to the supply of third party products and services, and outline remedial actions that include both the supplier and the organisation.

10) Enact measures that cater to the availability and processing of the supplier’s information, wherever it’s used, thereby ensuring the integrity of the organisation’s own information.

Compliance – Steps should be taken to ensure that supplier systems and data are handled in a way that doesn’t compromise on the availability and security of the organisation’s own systems and information.

11) Draft a thorough training plan that offers guidance on how staff should interact with supplier personnel and information on a supplier-by-supplier basis, or on a type-by-type basis.

Compliance – Training should cover the full spectrum of governance between an organisation and its suppliers, including engagement, granular risk management controls and topic-specific procedures.

12) Understand and manage the level of risk inherent when transferring information and physical and virtual assets between the organisation and their suppliers.

Compliance – Organisations should map out each stage of the transfer process and educate staff as to the risks associated with moving assets and information from one source to another.

13) Ensure that supplier relationships are terminated with information security in mind, including removing access rights and the ability to access organisational information.

Compliance – Your ICT teams should have a clear understanding of how to revoke a supplier’s access to information, including:

  • Granular analysis of any associated domain and/or cloud-based accounts.
  • Distribution of intellectual property.
  • The porting of information between suppliers, or back to your organisation.
  • Records management.
  • Returning assets to their original owner.
  • Adequate disposal of physical and virtual assets, including information.
  • Adherence to any contractual requirements, including confidentiality clauses and/or external agreements.

14) Outline precisely how you expect the supplier to conduct themselves regarding physical and virtual security measures.

Compliance – Organisations should set clear expectations from the outset of any commercial relationship, that specify how supplier-side personnel are expected to conduct themselves when interacting with your staff or any relevant assets.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

Supplementary Guidance

ISO acknowledges that it’s not always possible to impose a full set of policies on a supplier that meet each and every requirement from the above list as Control 5.19 intends, especially when dealing with rigid public sector organisations.

That being said, Control 5.19 clearly states that organisations should use the above guidance when forming relationships with suppliers, and consider non-adherence on a case-by-case basis.

Where full compliance isn’t achievable, Control 5.19 gives organisations leeway by recommending “compensating controls” that achieve adequate levels of risk management, based on an organisation’s unique circumstances.

Changes from ISO 27002:2013

27002:2022-5.19 replaces 27002:2013-5.1.1 (Information security policy for supplier relationships).

27002:2022-5.19 broadly adheres to the same underlying concepts contained in the 2013 control, but does contain several additional guidance areas that are either omitted from 27002:2013-5.1.1, or at the very least not covered in as much detail, including:

  • The vetting of suppliers based on their supplier type and risk level.
  • The need to ensure the integrity of supplier information in order to secure their own data, and ensure business continuity.
  • The various steps required when ending a supplier relationship, including the decommissioning of access rights, IP distribution, contractual agreements etc.

27002:2022-5.19 is also explicit in acknowledging the highly variable nature of supplier relationships (based on type, sector and risk level), and gives organisations a certain degree of leeway when considering the possibility of non-compliance of any given guidance point, based on the nature of the relationship (see ‘Supplementary Guidance’ above).

How ISMS.online Helps

Using ISMS.online you can:

  • Quickly implement an Information Security Management System (ISMS).
  • Easily manage the documentation of your ISMS.
  • Streamline compliance with all relevant standards.
  • Manage all aspects of information security, from risk management to security awareness training.
  • Effectively communicate throughout your organisation using our built-in communication functionality.

It’s a simple matter of creating a free trial account and following the steps we provide.

Get in touch today to book a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.