Why MSP Relationships Create Hidden Exposure
Managed service providers often become the largest and least visible part of your attack surface when your organisation relies on outsourced IT and cloud services. For Kickstarters, CISOs, privacy leads, and practitioners, that means MSP exposure is a central business risk, not a side issue for procurement. Any weakness in an MSP’s environment can quickly become your problem.
Managed service providers extend your attack surface and your accountability far beyond your own network, tools, and staff. When an MSP is compromised, the blast radius often includes multiple services, environments, and customers at once. For a Kickstarter team trying to get ISO 27001 over the line, a CISO answering to the board, or a legal lead worrying about regulators, that means MSP risk cannot be left to informal contracts and assumptions.
A majority of organisations in the 2025 ISMS.online State of Information Security survey reported being impacted by at least one third‑party or vendor‑related security incident in the past year.
This information is general and does not constitute legal or regulatory advice; you should always confirm specific obligations with qualified advisers.
Many teams feel that exposure already. You depend on remote management tools, cloud hosting, backup platforms, security monitoring, and specialist consultancies just to keep the lights on. Some of those partners have privileged access into production. Others hold sensitive data or underpin critical services. Yet contracts may barely mention security, there is no unified view of who has access to what, and board reports tend to focus on internal controls while ignoring external ones.
The riskiest suppliers are often the ones everyone assumes are already covered.
How MSPs Expand Your Attack Surface
Your MSP ecosystem usually has more entry points, privileges, and integrations than any single internal system. An attacker who compromises one MSP can gain leverage across multiple networks, services, and customers, which is why many financial regulators and insurers now treat outsourced ICT as a potential systemic risk rather than a narrow technical issue, as reflected in central bank and supervisory outsourcing guidance. For security and operations teams, that makes visibility and control over MSP access non‑negotiable.
A single MSP may run your remote access tooling, manage endpoint agents, hold admin credentials for cloud subscriptions, and operate change processes on your behalf. Smaller “shadow MSPs” can slip in through credit‑card SaaS, local IT support, or niche monitoring tools bought directly by a business unit. Each of these providers represents additional authenticated channels into your estate, more copies of sensitive information, and extra service dependencies you cannot easily control.
Without an explicit inventory of MSPs, their access, and their dependencies, your risk register underestimates the real attack surface. A compromise of an RMM platform, for example, is not just one vendor incident; it can become the launch pad for ransomware across dozens of servers and sites.
Shadow MSPs and Unmanaged Dependencies
Shadow MSPs are suppliers that behave like managed service providers but are not treated as such. They often hold access, data, or control, but sit outside formal processes and oversight.
Examples include a marketing team buying a web agency that manages production DNS, a plant using a maintenance contractor with VPN access, or finance adopting an “easy” SaaS integration that stores customer data. These partners often bypass formal procurement, may never be assessed by security or privacy teams, and still hold credentials, access paths, or sensitive data that matter to your compliance storey.
A quick review of purchase records, identity stores, and firewall rules often reveals more “service providers with access” than anyone expected. Until they are brought into scope, A.5.19 cannot be said to be fully implemented, because your organisation has not even identified all relevant supplier relationships. For practitioners and Kickstarters, this early discovery work is often the first visible step towards a serious MSP posture.
Concentration and Systemic Risk
Critical services frequently cluster around a small number of large providers. That concentration can turn a single failure into a systemic event for your organisation.
If one key MSP delivers several services, hosts multiple workloads, and manages identity or connectivity, an outage or insolvency event can disrupt internal operations, customer‑facing services, and your recovery capabilities at the same time. Boards, regulators, and insurers increasingly worry about this “all eggs in one basket” situation and expect you to understand where your true single points of failure sit.
For you, it means A.5.19 is not just about tidy supplier files; it is about recognising which relationships carry systemic risk and planning how those would be handled under stress. That includes knowing what you would do if a core MSP were unavailable for days, or if its environment was used as a launchpad into yours, and then making sure leadership sees those scenarios alongside other resilience topics.
Making Risk Visible to Leadership
Leadership teams rarely respond to raw lists of tools; they respond to clear explanations of business impact. When you translate MSP risk into concrete scenarios that describe customer disruption, regulatory exposure, or lost revenue, it becomes far easier for CISOs, legal leaders, and practitioners to secure time, budget, and attention.
If you describe an MSP risk purely in technical terms (they manage the RMM and have domain admin), the conversation will stay within IT. If you reframe that as:
- If this provider is down for 48 hours, we cannot serve these customer segments.:
- If their update pipeline is compromised, attackers can deploy code into production.:
then third‑party risk belongs on the same agenda as operational resilience, revenue, and reputation. Supervisory guidance in many sectors, including banking and financial services, now emphasises this type of business‑impact framing for critical ICT providers, as reflected in outsourcing and ICT risk guidelines from European supervisory authorities. That is the mental shift you want before you introduce ISO 27001 requirements and the frameworks that can help, including platforms such as ISMS.online that make supplier risk easier to see and manage in one place.
Book a demoWhat ISO 27001:2022 A.5.19 Really Asks of MSP‑Heavy Organisations
ISO 27001:2022 A.5.19 expects you to manage information security in supplier relationships through a structured, risk‑based lifecycle rather than one‑off approvals. For MSP‑heavy organisations, that means classifying providers by risk, defining clear security requirements, embedding them into agreements, and monitoring performance over time. For Kickstarters and practitioners this is a first workable structure; for CISOs and legal officers, it becomes the backbone of board and regulator‑facing narratives.
In the 2025 ISMS.online survey, around four in ten organisations said that managing third-party risk and tracking supplier compliance is one of their top information‑security challenges.
In many organisations, A.5.19 is listed as “applicable” in the Statement of Applicability, yet when auditors ask for evidence, what is presented is sometimes limited to a short supplier policy and a spreadsheet of vendor names. In many audits, assessors focus more on how you apply the control than on the wording of the policy. They expect to see a traceable line from risk thinking, through requirements, into contracts, monitoring, and exit, particularly where MSPs hold high privilege or sensitive data.
The accompanying guidance in ISO 27002-particularly the supplier‑related controls-makes it clear that you should consider the sensitivity and classification of information handled by each supplier, the criticality of the service to operations and customers, the level of access granted (including privileged or remote access), and the legal and regulatory environment around the service, in line with ISO’s published commentary on information security controls. From that analysis, you are expected to derive proportionate controls and show how they are built into real processes, not only documents.
For busy Kickstarters, practitioners, and CISOs, the fastest way to make progress with A.5.19 is to translate control text into a small set of practical questions. If you can answer the same questions consistently for every MSP and show where the answers live, you are already close to what auditors, customers, and regulators expect to see in practice.
For each MSP, you should be able to answer and evidence:
- How risky the relationship is, and why.
- Which information security requirements you place on the provider.
- Where those requirements are documented (contracts, policies, SLAs).
- How you check, over time, that they are still being met.
- What will happen if the service changes or ends.
If you can answer all of those consistently, you are already doing most of what A.5.19 asks. If you cannot, it becomes clear where process and documentation need work, and where a more disciplined ISMS platform could help you map answers to specific controls.
Your Compliance Versus Your Suppliers’ Certificates
An MSP’s ISO 27001 or SOC 2 report is useful input; it is not your compliance. You still have to decide how relevant their scope is, where you rely on their controls, and which risks remain yours. Assessors increasingly ask how you reached those conclusions, not just whether a certificate exists, and sector regulators now routinely ask for this reasoning in critical‑outsourcing reviews, mirroring the expectations set out in international banking and securities outsourcing guidance.
The control expects you to understand:
- Which of the MSP’s controls are relevant to your risks.
- What complementary actions you must take as their customer.
- Where there are gaps between their attestations and your requirements.
Using supplier certificates as the only due‑diligence measure leaves you exposed, especially when scope, locations, or sub‑processors are not aligned with your needs. Auditors will often ask, “How did you decide this MSP met your requirements?” That answer needs to involve more than “they sent a certificate”, and it needs to be recorded in a way that you can explain months or years later.
Ownership, Roles, and the ISMS
A.5.19 only works if responsibility is clearly assigned. When everyone assumes “supplier risk” sits somewhere else, important checks and decisions will be missed, and you will struggle to reconstruct who agreed what when an incident is under scrutiny.
In practice, security may own the supplier risk methodology, GRC may govern policies and mapping to frameworks, procurement may own contract language and negotiations, and operations may own day‑to‑day performance reviews. These responsibilities need to be reflected in your ISMS documentation: policies, procedures, RACI charts, and management reviews. For CISOs and legal leads, this clarity is what turns supplier risk from an informal habit into a defensible governance structure.
Without this clarity, supplier controls drift. Everyone assumes someone else is doing the work, and it becomes difficult to show auditors or regulators who is accountable for what. A live ISMS platform can help by holding roles, approvals, and review cycles in one place instead of across scattered documents.
Embedding A.5.19 Into Risk and Policy
Supplier relationships should appear in the same risk processes as internal systems, rather than being treated as a separate track. When suppliers are part of your mainstream risk view, it becomes easier to justify decisions and to link third‑party exposures to business outcomes.
That usually means:
- MSP services appear in the information asset inventory.
- Risk assessments consider supplier‑origin threats and scenarios.
- Treatment plans reference both internal and supplier controls.
Policy‑wise, you may capture expectations in a dedicated supplier policy or integrate them into your main information security policy. Either way, MSP‑specific topics-privileged access, logging, incident support, sub‑processors-should be explicit, so they can be echoed in templates, contracts, and monitoring. Regulators increasingly expect to see this alignment across policy, risk, and supplier records.
Statement of Applicability as the Storey Spine
The Statement of Applicability is your narrative of why A.5.19 is in scope and how you meet it. A clear, concise entry becomes the spine of your storey for auditors, customers, and regulators who want to understand your MSP posture quickly.
A robust SoA entry for this control typically includes:
- A short rationale, such as “significant dependence on MSPs and ICT providers”.
- The main processes used (supplier risk assessment, due diligence, contract standards, monitoring, exit processes).
- References to supporting documents (policies, procedures, templates, registers).
When the SoA is this explicit, it becomes much easier to walk auditors, customers, and regulators through your MSP storey without hunting for ad‑hoc explanations or rediscovering forgotten decisions. For Kickstarters and practitioners, that SoA entry is also a practical checklist for what must exist and be kept up to date.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Designing an MSP Supplier‑Risk Framework End to End
A workable A.5.19 implementation is easiest to sustain when you treat it as a lifecycle framework that runs from scouting to exit. For CISOs, privacy leads, and practitioners, that means defining clear stages, owners, and artefacts so you can both manage MSP risk and explain your approach consistently to auditors, board members, and regulators.
A lifecycle approach works well because it matches how you actually engage MSPs: someone spots a need, suppliers are scouted, one is selected, access is granted, services evolve, and eventually the relationship changes or ends. For Kickstarters, this structure offers a simple blueprint; for CISOs and privacy leads, it becomes a repeatable way to prove discipline across a complex MSP estate. Platforms like ISMS.online can help you capture each stage, so you document how you work rather than creating a separate compliance track.
Many organisations jump straight to contract templates or questionnaires and then struggle to show how those fit into a bigger picture. Designing the framework first forces you to answer where you start, who is involved, and what success looks like before you refine documents and tools, and it provides a natural bridge into the detailed practices described in later sections.
Mapping the Lifecycle and Its Evidence
Before you design anything new, it helps to capture what already happens when you engage an MSP. For practitioners and project leads, documenting the path from first contact to exit shows which parts of A.5.19 are already supported and where practice is informal or undocumented.
For each stage, define both the activity and the evidence you expect to keep:
- Scouting: – basic fit, criticality, and risk pre‑screening. Evidence: initial supplier record and short risk notes.
- Due diligence: – fuller assessment of security, privacy, resilience, and financial stability. Evidence: completed questionnaires, reviewed reports, and risk decisions.
- Contracting: – security clauses, SLAs, roles, and exit terms agreed. Evidence: signed contracts with security schedules.
- Onboarding: – access, integrations, and processes set up securely. Evidence: change records, access reviews, and test results.
- Operation and change: – service delivery, performance, and incidents monitored. Evidence: reports, meeting minutes, and issue logs.
- Exit: – data returned or erased, access removed, lessons captured. Evidence: exit checklists, confirmations, and post‑exit reviews.
Once that map exists, it becomes obvious where A.5.19 requirements already have support and where they are missing. It also makes it easier to explain to assessors how real‑world supplier management maps to your control design, and sets you up to tier effort in a proportionate way.
Risk‑Tiering MSPs So Effort is Proportionate
You cannot treat every supplier as critical, and the standard does not expect you to. A simple tiering model reassures auditors that effort is proportionate, and it helps practitioners focus limited time where it matters most.
Typical risk‑tiering factors include:
- Business criticality of services.
- Sensitivity and volume of information handled.
- Level of access, including privileged, remote, or on‑site access.
- Regulatory and contractual impact if the MSP fails.
- Substitution difficulty and switching cost.
Suppliers in the highest tier may deserve board visibility, full due diligence packs, annual reviews, and detailed exit plans. Those in lower tiers might only need a baseline checklist and simple contractual protections. Risk tiers guide workload and make it easier to explain why some relationships receive more scrutiny than others, which becomes particularly important when you align A.5.19 with NIS 2 and DORA later on.
Planning for Exit While Onboarding
Exit planning is often neglected until a relationship breaks down. When you embed it from the start, you reduce the shock if an MSP fails, withdraws, or no longer meets your expectations.
A more resilient approach bakes exit into onboarding: you record who would take over the service if the MSP failed, you require clear commitments for data export, erasure, and transition support, and you capture dependencies on proprietary tooling, formats, and skills. Regulators and supervisors are increasingly explicit that major outsourcing arrangements should include this type of exit clarity from day one, including financial‑sector guidance on operational resilience and outsourcing from central banks and prudential regulators such as Bank of England publications on outsourcing and third‑party risk.
That planning does not mean you expect failure; it acknowledges that supplier landscapes change. Under A.5.19, being able to maintain control and continuity when an MSP exits is as important as selecting them well in the first place and feeds naturally into the contracting and SLA details you define later.
Involving the Right Technical Stakeholders
MSP selection should not happen purely on paper. Technical teams can often spot risks in identity, logging, and integration that contracts alone obscure, and their input can prevent well‑worded agreements from hiding real‑world weaknesses.
Architecture and security engineering teams can help you evaluate identity and access patterns (such as where single sign‑on or break‑glass accounts are used), assess logging and monitoring coverage (including whether MSP actions are visible in your SIEM), and spot integration risks (such as scripts, APIs, or agents that could be abused). For practitioners, building these reviews into the lifecycle makes supplier security feel like part of normal design work rather than an afterthought.
Those insights help you write better requirements, design better onboarding, and set more meaningful monitoring metrics. They also provide richer explanations for auditors who want to understand the technical side of your supplier risk decisions, preparing the ground for the operational monitoring topics covered in later sections.
Keeping the Framework Alive as MSPs Change
Supplier relationships are not static. An MSP that was low‑risk when engaged can become critical as your usage grows or as regulations evolve, especially in sectors under NIS 2 or DORA.
Services change, acquisitions happen, hosting moves, and new features are added. An effective framework includes triggers for re‑assessment, such as significant changes in service scope or architecture, new regions, data centres, or sub‑processors, material incidents or repeated SLA breaches, and changes of ownership or signs of financial distress.
When those triggers fire, you revisit risk ratings, requirements, and contracts. That responsiveness shows you are genuinely managing supplier relationships, not just filing them, and it leads naturally into the contracting and monitoring practices you need around A.5.19, NIS 2, DORA, and SOC 2.
Contracting and SLAs With MSPs Under A.5.19
Contracts and SLAs are where your A.5.19 decisions become enforceable and visible to auditors, customers, and regulators. For CISOs, legal officers, and practitioners, that means embedding clear security and resilience expectations into written agreements and being able to show how those match your risk appetite and regulatory duties.
For MSP relationships, this means documenting specific security expectations, resilience assumptions, and privacy obligations while keeping clauses realistic enough that providers will sign and you can operate them without constant exceptions. For legal officers and DPOs, this is also where data‑protection duties become regulator‑ready rather than aspirational, and where you show how ISO 27001, ISO 27701, and sector rules converge.
The control does not dictate exact wording, but guidance from regulators and professional bodies is converging. They expect contracts with critical ICT providers to cover topics such as security responsibilities, performance targets, incident support, audit rights, data handling, and termination, and they increasingly inspect those clauses during investigations and thematic reviews.
Building a Security Schedule MSPs Can Accept and You Can Enforce
A dedicated security schedule or annex keeps obligations clear and easier to maintain. Done well, it balances your need for assurance with the provider’s operational realities, reduces friction in negotiations, and makes enforcement more predictable when issues arise.
For higher‑risk MSPs, a security schedule often includes:
- Minimum control expectations, such as multi‑factor authentication and timely patching.
- Logging, monitoring, and retention requirements for activities in your environment.
- Notification timelines and escalation paths for suspected or confirmed incidents.
- Conditions for providing additional assurance or testing when risk changes.
- Rules for sub‑processors, including approval, disclosure, and cascade of obligations.
The legal team can work with security and procurement to maintain standard wording and a process for handling deviations. When exceptions are truly necessary, they should be explicitly risk‑accepted, time‑bound where possible, and documented, so you can explain them in audits and management reviews rather than rediscovering them during an incident.
Designing Security‑Relevant SLAs
Traditional SLAs tend to revolve around uptime; security and resilience need more. If you define what “good” looks like in detection, response, and restoration, you can hold MSPs accountable in ways that actually matter to your business and to your regulators.
For MSPs, consider defining:
- Detection and alerting metrics: – for example, maximum time to detect a security event affecting your environment.
- Response and communication metrics: – time to investigate, contain, and update you on incidents.
- Restoration metrics: – recovery time and recovery point objectives where the MSP provides infrastructure or backup.
- Evidence metrics: – cadence and format of security and performance reporting.
These metrics should align with your internal incident management and business continuity plans. An MSP that promises four‑hour recovery for a critical system, for instance, must fit with your own recovery objectives and with what you promise to your customers. For CISOs and practitioners, that alignment is often what convinces leadership that MSP risk is genuinely under control.
Handling Data Protection and Privacy Obligations
Where MSPs act as processors or sub‑processors for personal or regulated data, contractual detail matters. Regulators consistently look at how you define and monitor these relationships when investigating breaches or complaints, and many sector‑specific guidelines now provide explicit outsourcing examples.
You typically need clarity on the categories of personal data processed and the purposes of processing, restrictions on data locations and onward transfers, security measures tied to confidentiality, integrity, and availability, and how the MSP will support breach notifications, data subject rights, and regulatory interactions. Bringing privacy and security teams together when drafting these provisions reduces the risk of conflicting obligations and makes it easier to respond to regulators and customers later.
In many investigations, authorities focus as much on how you structured these relationships as on the specific technical failure. For privacy and legal officers, well‑structured MSP contracts become a key part of the evidence you rely on if things go wrong.
Making Audit and Assurance Rights Realistic
Contracts often contain broad audit rights that nobody ever uses. A realistic approach sets expectations you and the MSP can actually follow, which in turn makes oversight evidence more credible and less adversarial.
Instead of theoretical language, agree how assurance will work in practice. That might include regular independent reports or summary assurance updates, joint testing or walkthroughs of incident scenarios, and limited on‑site or remote assessments when justified by risk. Many regulators now explicitly acknowledge this layered approach to assurance, provided you can show how it is applied.
The important part is having mechanisms that both parties genuinely expect to use. That way you can demonstrate ongoing oversight without relying on intrusive visits that are never scheduled, and you can show auditors and supervisors a living assurance model rather than a purely contractual one.
Ensuring Robust Internal Approval and Governance
Even the best template fails if it can be changed without scrutiny. Governance around MSP contracts is part of your A.5.19 storey: it shows who can accept risk on behalf of the organisation and how those decisions are recorded.
For high‑risk MSP contracts, insist on documented reviews by legal, security, and procurement, clear conditions under which senior leadership sign‑off is required, and recorded justifications for deviations from standard clauses. For CISOs and legal leads, this approval trail is often what gives them confidence to sign off on complex or high‑impact MSP arrangements.
These approval flows become part of your internal control system. During audits, being able to point to a consistent governance trail for MSP contracts reassures assessors that A.5.19 is embedded, not improvised, and connects cleanly to the operational monitoring practices you build next.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Operational Monitoring and Continuous Assurance for MSPs
Once contracts are signed and services live, A.5.19 shifts focus from “what is written” to “what happens over time”. For CISOs, practitioners, and privacy officers, that means defining how often you review key MSPs, what evidence you expect, how you log issues and decisions, and when you escalate concerns to senior leadership.
For many organisations, this is where processes become ad‑hoc. Reports arrive by email, issues are discussed in meetings but never logged, and no one is quite sure whether commitments are still appropriate. Turning MSP monitoring into a defined workflow makes it manageable and auditable, and helps you demonstrate that supplier risk is treated as seriously as internal risk in governance and resilience discussions.
Regulators increasingly expect to see this kind of ongoing oversight for critical ICT providers, not just pre‑contract due diligence, as reflected in outsourcing and third‑party risk guidelines from global securities regulators. That means your MSP monitoring must be risk‑based, documented, and capable of showing trends rather than only snapshots.
Defining What Good Oversight Looks Like
Good oversight is deliberate rather than reactive. It explains why some MSPs receive intensive attention while others are monitored more lightly, and shows how those choices reflect business impact and risk appetite. When that logic is visible, it is easier to defend your approach to auditors, boards, and regulators.
Start by setting clear expectations for each risk tier. For example, a critical MSP might warrant quarterly review meetings, an annual review of independent assurance reports, regular KPI dashboards covering incidents and SLA performance, and periodic re‑confirmation of key contacts and escalation paths. Lower‑tier providers might only need annual checks or monitoring when significant change occurs.
Here is one way to structure oversight frequencies:
| MSP Tier | Example Criteria | Minimum Review Frequency |
|---|---|---|
| Tier 1 | Critical service, high data sensitivity | Quarterly + on change |
| Tier 2 | Important service, moderate data sensitivity | Twice per year |
| Tier 3 | Supporting service, low data sensitivity | Annually or on change |
This type of table helps stakeholders see why some providers receive more attention than others and reassures assessors that your approach is risk‑based rather than arbitrary. It also gives practitioners a practical checklist for planning review cycles and allocating time.
Going Beyond Certificates and Scores
External ratings, certificates, and reports are inputs, not conclusions. What matters is how you interpret them and what you do next, especially when they reveal gaps or trends that conflict with your risk appetite or with regulatory expectations.
For each MSP, you should be able to show who reviewed the evidence and when, what concerns or exceptions they noted, what actions were agreed with owners and deadlines, and how residual risk was rated after the review. For CISOs and risk teams, this record is often more important than the certificate itself.
That record, more than the certificate, demonstrates to auditors and customers that you exercise judgement and follow through. Over time, it also gives you a trend view of which relationships are improving and which are drifting, and it provides concrete input when you consider remediation, renegotiation, or exit.
Integrating Oversight Into Existing Governance
Monitoring works best when embedded into forums that already exist. That way, supplier issues compete for attention alongside other operational priorities rather than being trapped in a separate supplier silo.
That might mean adding MSP risk as a standing agenda item in service review meetings, feeding supplier issues into change advisory boards or operational risk committees, and ensuring that significant MSP incidents are reported to the same senior forums as internal ones. For practitioners, this integration avoids the feeling of “extra” meetings and instead builds supplier oversight into normal rhythms.
By doing this, supplier risk is treated alongside other sources of operational risk, not as a parallel track handled only by procurement or security. It also reduces the risk that an issue raised in one part of the organisation never reaches the decision‑makers who can act on it, and it aligns neatly with expectations in NIS 2 and DORA around board‑level visibility of ICT third‑party risk.
Exercising and Testing the Relationship
Real assurance comes from seeing how MSPs behave under pressure. Joint tests help you understand whether contractual expectations translate into behaviour when it matters most, and they often reveal gaps no paper review will catch.
Joint activities might include table‑top exercises simulating an incident that originates at or affects the MSP, combined threat‑hunting focused on shared platforms or integrations, and recovery tests that involve both your teams and the provider. For practitioners and operations leads, these exercises provide practical evidence of how playbooks and communication channels work, and incident‑response communities such as FIRST promote joint exercises and coordinated testing with key service providers for exactly this reason.
Such exercises reveal gaps in playbooks, communications, and technical controls that questionnaires cannot surface. They also build trust and familiarity between teams, which can make real incidents easier to manage. Supervisory bodies increasingly recommend this type of collaborative testing for critical third‑party relationships.
Linking Monitoring to Risk Appetite and Action
MSP monitoring must link back to your risk appetite. If you have defined the conditions under which a relationship becomes unacceptable, there should be a clear route from observations to decisions and actions.
If you have decided, for example, that repeated missed security SLAs or recurring incidents are unacceptable for a high‑risk tier, oversight processes must detect when those thresholds are reached, escalate issues to the right governance forum, and trigger decisions such as remediation plans, contract renegotiation, or exit planning. For CISOs, being able to show this chain gives boards confidence that MSP risk is not just being observed but actively managed.
Recording these decisions in your ISMS or GRC platform, and tying them to specific findings, turns everyday operations into clear evidence that A.5.19 is being lived, not just documented. It also forms a natural bridge into the multi‑framework alignment described in the next section.
Aligning A.5.19 MSP Controls With NIS 2, DORA, SOC 2 and Sector Rules
Many organisations that work towards ISO 27001:2022 also find that they must address NIS 2, DORA, SOC 2, and sector‑specific obligations at the same time. For CISOs, privacy officers, and legal leads, the good news is that the core ideas behind A.5.19-knowing your ICT suppliers, assessing their risks, defining contractual safeguards, and monitoring them over time-appear in all of these frameworks.
Almost all respondents in the 2025 State of Information Security survey listed achieving or maintaining security certifications such as ISO 27001 or SOC 2 as a priority for their organisation.
Rather than running separate programmes, you can design one MSP control set and map it to multiple requirements. That reduces duplication, keeps your storey consistent between teams, and makes it easier to explain your approach to different audiences. It also reduces the chance that one framework drifts away from the others and introduces conflicting expectations, a concern frequently raised in supervisory guidance.
Building a Simple MSP Control Crosswalk
A simple crosswalk helps boards, regulators, and auditors see that a single MSP lifecycle underpins multiple compliance stories, rather than being rebuilt for each standard. It also clarifies where sector‑specific overlays are required and where you can rely on shared controls.
In the 2025 survey, customers commonly expected their suppliers to align with formal frameworks such as ISO 27001, ISO 27701, GDPR, Cyber Essentials, SOC 2 and emerging AI standards rather than relying on generic good practice claims.
The first step is to define your own “canonical” MSP activities:
- Inventory and classification.
- Risk assessment and tiering.
- Due diligence and selection.
- Contracting and SLAs.
- Onboarding and technical integration.
- Monitoring and review.
- Change management and exit.
Then, for each, note which frameworks expect what. For example, you might summarise ISO 27001 A.5.19 for supplier security, NIS 2 for supply‑chain risk, DORA for ICT third‑party risk management and minimum contract content, and SOC 2 for vendor and business‑partner risk under security, availability, and confidentiality criteria. With that single view, you can show both internally and externally how one activity supports several compliance needs, and where additional attention is needed for particular regulators.
Defining Boundaries Between Controls
ISO 27001:2022 groups several supply‑chain related controls together. If you are not careful, work can be duplicated or gaps can appear at the edges, especially when internal teams interpret scopes differently.
To avoid confusion, decide clearly where A.5.19 (information security in supplier relationships) ends and clarify where A.5.20–A.5.23, business continuity, and incident management pick up. For example, your MSP due‑diligence checklist might be owned under A.5.19, while tests of resilience and recovery sit under business continuity controls, even though they relate to suppliers.
Making these boundaries explicit helps assign process owners and prevents duplicated work or missed responsibilities. It also helps practitioners and auditors navigate your control framework without debating which clause “really” owns a particular activity, and sets the stage for more coherent cross‑framework reporting.
Using the ISMS as the Hub
A unified approach works best when everything lives in one system of record. That is how you avoid separate spreadsheets for each framework and inconsistent stories between security, privacy, and legal teams.
That could mean a single supplier register with risk tiers and mappings to frameworks, control records that reference multiple standards codes where relevant, and evidence repositories where each document is tagged with the controls and regulations it supports. For practitioners, this makes everyday work simpler; for CISOs and legal leads, it provides a clear narrative when questioned by boards or regulators.
An ISMS platform such as ISMS.online is designed to make this type of cross‑mapping easier, so new frameworks can be layered onto existing controls without restructuring everything from scratch. For Kickstarters, that means you can start with ISO 27001 and know you have room to grow into SOC 2, NIS 2, or DORA using the same underlying MSP framework.
Extending to Sector and Regional Requirements
Sector rules often add detail on top of generic cyber expectations. By treating A.5.19 controls as reusable building blocks, you can adapt without reinventing your MSP approach each time a new regulation appears.
A strong majority of organisations in the 2025 ISMS.online survey said the speed and volume of regulatory change are making security and privacy compliance harder to sustain.
For instance, healthcare emphasises business associate agreements and privacy safeguards, payments focus on cardholder data environments and service‑provider requirements, and financial services add outsourcing, resilience, and audit access expectations. Supervisory guidance across these sectors often points back to similar underlying themes: due diligence, contractual clarity, and ongoing oversight.
By treating A.5.19 controls as building blocks, you can add sector‑specific overlays-additional clauses, extra checks, more frequent reviews-without redesigning your MSP framework every time. That keeps your approach stable while allowing for nuanced differences where they matter, and it reduces the cognitive load on teams who would otherwise have to juggle separate supplier programmes.
Coordinating Evidence Requests
Multiple stakeholders will ask for proof that you control MSP risk. Reusing the same evidence across standards wherever possible reduces cost and inconsistency, and makes life easier for the teams assembling responses.
These stakeholders include external auditors and certification bodies, national regulators and supervisors, and large customers performing due diligence. Each may ask for different angles on the same underlying MSP storey.
If your control crosswalk and evidence set are centralised, you can respond to these requests from the same source rather than crafting bespoke packs each time. That reduces effort and also demonstrates maturity to assessors, who can see that supplier oversight is grounded in a single, coherent framework rather than stitched together for each new question.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Evidence and Audit‑Ready MSP Oversight Under A.5.19
Ultimately, A.5.19 lives or dies on whether you can show that MSP risks are identified, treated, and monitored in practice. For CISOs, privacy officers, and practitioners, that means having the right documents in the right place, linked to the right controls and decisions, and ready to explain to auditors, regulators, and customers.
Evidence does not need to be complex; it needs to be coherent. The aim is to show a clear line from policy intent, through process, to records of what actually happened. When that line is visible, assessments, renewals, and conversations with stakeholders become more confident and less improvisational, and you are better placed to explain your decisions if something goes wrong.
Regulators and certification bodies increasingly expect this type of traceable narrative for critical third‑party relationships, as reflected in ISO‑aligned certification and audit‑preparation materials from international certification organisations. That expectation applies whether you are a Kickstarter working towards first certification or a mature CISO managing multiple overlapping frameworks.
Defining a Standard MSP Evidence Pack
A standardised evidence pack makes reviews and audits faster and less stressful. Everyone knows which documents to assemble, and gaps become obvious long before an external assessor asks questions.
For each high‑risk MSP, you might aim to assemble a consistent evidence pack containing the current contract and security schedule or annex, the risk assessment and tiering rationale, due‑diligence outputs and acceptance decisions, records of onboarding checks and approvals, recent monitoring reports and meeting notes, incident reports and post‑incident reviews where relevant, and exit plans or records if termination has occurred.
For example, for a Tier 1 MSP providing backup and disaster recovery, you might expect to see the contract’s recovery objectives, a recent test report, a current risk assessment, minutes from the last service review, and a record of how lessons from any incidents were addressed. When this template is agreed, gaps in your current documentation become visible and can be addressed in a planned way, rather than as last‑minute scrambles before an audit.
Linking Artefacts to Controls and Frameworks
Evidence is more powerful when it is clearly tied to specific obligations. That link is what allows you to answer “how” and “why” questions under pressure, not just “what”.
Within your ISMS or GRC tool, you can tag each document with the control codes it supports (for example, A.5.19, A.5.20), link it to any relevant regulatory provisions such as NIS 2 supply‑chain measures, and associate it with the supplier record and service description. For legal and privacy leads, this mapping is also what makes it easier to demonstrate that outsourcing supports, rather than undermines, your statutory obligations.
That way, when someone asks, “How do you meet A.5.19 for this MSP?”, you can retrieve the full context from one place instead of piecing it together manually. It also helps ensure that you use the same evidence for multiple overlapping expectations, reducing duplication and confusion across frameworks.
Demonstrating Continuous Improvement
Auditors and boards increasingly look for signs that you learn and adapt. A static set of documents tells them you once cared; a trail of improvement shows you still do.
For MSP oversight, that might include post‑incident reviews that document what went well and what did not, risk ratings updated in response to events or changes in service, and contract or control changes made in response to lessons learned. For CISOs, this improvement trail is often what shifts the narrative from “compliance” to “resilience”.
Recording these steps shows that your supplier‑management framework is dynamic. It also helps justify decisions such as renewing, renegotiating, or exiting relationships, because you can point to specific triggers and responses, rather than relying on institutional memory or individual recollection.
Preserving Decision History
Supplier decisions often span several years and many individuals. When something goes wrong, being able to reconstruct why a decision was taken can be crucial in internal and external reviews, particularly for privacy and legal officers who may be questioned directly.
Maintaining version‑controlled repositories for risk assessments and acceptance decisions, policy and procedure versions, and governance minutes and approvals allows you to reconstruct why choices were made at the time. That can be critical if an incident is scrutinised later or if regulators examine historical governance.
It also helps new leaders understand how MSP strategy has evolved rather than guessing at past motivations. For Kickstarters, starting this discipline early avoids the future pain of rebuilding history from scattered emails and draughts.
Telling a Clear Oversight Storey
Beyond detailed packs, having a concise narrative for leadership matters. A clear MSP storey helps ensure that the board, regulators, and customers all hear consistent messages about how you run supplier risk.
A good oversight storey might summarise your overall MSP strategy and risk appetite, describe how A.5.19 and related controls are implemented in practice, highlight current priorities, improvements, and risks, and show how oversight integrates with wider governance and resilience work. For CISOs, this is often the narrative they use in board updates and external briefings.
Practising this storey ahead of audits and board meetings helps ensure everyone involved can explain their part confidently. It also makes it easier to align communications between security, privacy, legal, and operations teams, and it prepares you well for discussions about how tools like ISMS.online can support and streamline that oversight.
Book a Demo With ISMS.online Today
ISMS.online gives you a single, structured environment to design, run, and evidence MSP oversight in line with A.5.19 and related requirements, so you spend less time chasing documents and more time making informed decisions about supplier risk. For Kickstarters, CISOs, privacy officers, and practitioners, that means turning MSP oversight from scattered spreadsheets and email trails into a coherent, defensible storey.
How ISMS.online Supports A.5.19 in Practice
If you bring MSP information into one place, it becomes much easier to see who your critical providers are, which controls apply, and where gaps exist. ISMS.online helps you maintain a live supplier register with risk tiers, control mappings, contracts, and review records, so security, procurement, legal, operations, and risk teams can all work from the same source of truth.
Instead of chasing documents across drives and mailboxes before each audit, you can work from a live register that supports due diligence, contracting, monitoring, and exit. Responsibilities are clearer, and nothing depends on one person’s memory. Because A.5.19 links naturally to other supplier and resilience controls, you can also map MSP work to NIS 2, DORA, SOC 2, and sector rules without creating parallel processes or duplicating evidence, which strengthens your overall resilience narrative.
Deciding Whether to Explore ISMS.online Further
The next step does not need to be a big commitment. A short, focused walkthrough is usually enough to see whether this way of working fits your organisation and your MSP landscape, and to identify where it could replace todays manual effort and fragmentation.
You can walk through a sample MSP lifecycle, load a handful of your own suppliers, and see how existing artefacts map to ISO 27001, NIS 2, DORA, or other frameworks you care about. From there, it is easier to decide what a phased rollout might look like: which high‑risk relationships to bring in first, which metrics to track, and how quickly you could move from ad‑hoc practices to a coherent A.5.19 storey.
If you are responsible for security, compliance, operations, privacy, or procurement and you know MSP risk deserves a more joined‑up approach, a conversation with the ISMS.online team can help you explore options. You keep control of your programme; the platform simply gives you a practical, evidence‑ready way to run it across all of the standards, regulations, and stakeholders that matter to you.
Book a demoFrequently Asked Questions
How does ISO 27001:2022 Annex A.5.19 actually change the way you handle MSPs and other suppliers?
Annex A.5.19 expects you to manage important suppliers as if they sit inside your own ISMS boundary, with risk‑based control and visible oversight instead of a static vendor list.
What does that mean in practical, audit‑ready terms?
For every material MSP or supplier, you should be able to walk an auditor through a simple storey:
- Why they matter: – they touch production, sensitive data, critical services, your ISMS scope, or your continuity plans.
- How risky they are: – you use a repeatable tiering method (for example, critical / important / standard) based on access and impact.
- What you require from them: – concrete expectations for security, privacy, resilience and incident handling, not woolly “industry standard” language.
- Where those requirements live: – policies, contract clauses, SLAs, security schedules and runbooks, with clear version history.
- How you keep them under review: – a defined cadence, known inputs (assurance reports, incidents, SLA data, tickets) and recorded decisions.
- How you end or change the relationship: – planned data return/erasure, access removal, handover, and captured lessons.
Customers, regulators and newer regimes such as NIS 2 and DORA increasingly expect to see a line from risk thinking → requirements → agreements → monitoring → exit, backed by evidence. If you can explain that line calmly for each key provider, Annex A.5.19 is working in practice, not just on paper.
How can an ISMS or IMS keep this consistent across teams?
A functioning information security management system (ISMS) – ideally inside an Annex L‑style integrated management system (IMS) – gives you the scaffolding to:
- Maintain a central, risk‑tiered supplier register
- Link each MSP to services, assets, risks, controls, contracts and incidents
- Map relationships to ISO 27001 Annex A.5.19 and related controls such as A.5.20–A.5.22
- Embed supplier reviews into routine governance rather than ad‑hoc fire drills
ISMS.online is built around that approach. You can register suppliers once, reuse evidence across ISO 27001, SOC 2, NIS 2 and DORA, and show that you run supplier oversight as a living system rather than a scramble before each audit. For a CISO or privacy lead, that makes it far easier to stand in front of the board and say, “Our outsourced services are under control.”
How can an MSP‑heavy organisation uncover hidden supplier risk before an auditor or attacker does?
You uncover hidden supplier risk by comparing who actually has technical and business access to your estate with who appears on your official supplier register, then closing the gaps.
Where do the most serious blind spots usually appear?
Three patterns show up repeatedly in MSP‑dependent environments:
- Shadow MSPs:
Local IT firms, niche SaaS products, web agencies, integration partners and freelancers who hold admin accounts, VPN access or production data but have never been treated as “in‑scope” suppliers.
- Unknown blast radius:
No quick answer to: “If this MSP failed or was compromised, which services, customers or regions would suffer, and how badly?”
- Concentration risk:
Several critical services or major customers depend on a single MSP or tight vendor cluster, so one outage turns into a multi‑service, multi‑customer event.
A focused sweep across a few data sources surfaces these faster than most teams expect:
- Export all external identities from IAM, VPN, remote‑access and privileged‑access tools.
- Compare firewall rules, endpoint agents, monitoring integrations and ticket queues with the names on your supplier register.
- Ask finance for a 12‑month spend report for vendors tagged as “IT / cloud / services” and reconcile it with your ISMS view.
Once you know who is really in your stack, what they touch and how critical they are, you can:
- Bring the right providers formally into Annex A.5.19 scope
- Decide where standard security clauses, NDAs and resilience terms are mandatory
- Elevate supplier exposure into continuity and risk discussions rather than leaving it buried in day‑to‑day operations
How can ISMS.online turn that mapping work into something sustainable?
ISMS.online lets you consolidate those discoveries into a single supplier register where you can:
- Tag each MSP with a risk tier and link them to assets, services and locations
- Attach assurance reports, incidents, tickets and improvement actions to the right provider
- Visualise clusters of exposure so you can answer “Which suppliers could take out this service tomorrow?” without hunting through spreadsheets
For small or stretched teams, that central view turns a one‑off discovery exercise into an ongoing way of working, so you stay a step ahead of auditors and attackers rather than reacting to them.
How can a small team turn Annex A.5.19 into a realistic supplier‑risk framework?
A small team makes Annex A.5.19 workable by wrapping a simple lifecycle around how you already select, contract, run and exit MSPs, and by scaling effort to risk rather than treating every vendor the same.
What does a lightweight, auditable supplier lifecycle look like?
A six‑stage model is usually enough to satisfy auditors without creating red tape:
- Scoping:
Decide whether a supplier genuinely belongs inside your ISMS boundary and how much damage their failure or breach could cause.
- Due diligence:
Collect evidence proportional to their tier: a short questionnaire and a certificate for standard suppliers; deeper assurance, references and architecture detail for critical MSPs.
- Contracting:
Build in explicit expectations for security, privacy, SLAs, business continuity and exit, aligned to your risk appetite and regulatory duties.
- Onboarding:
Set up identities, access paths, logging, monitoring and runbooks, with named approvers and recorded steps so you can show who authorised what.
- Operation and change:
Run reviews on a set cadence, act on incidents and SLA data, adjust scopes or access when services change, and update risk ratings through existing governance forums.
- Exit:
Plan data return or secure erasure, remove access fully, ensure knowledge transfer, collect lessons learned and close the relationship in your records.
The discipline comes from tiering, not from treating every SaaS subscription like a strategic outsourcing deal. Your highest‑impact MSPs pass through the full lifecycle with richer checks; lower‑impact tools may only need a light‑touch version and periodic spot checks.
In a joined‑up management system, you can:
- Assign owners for each lifecycle stage and keep approvals, evidence and decisions together
- Link lifecycle steps directly to ISO 27001 Annex A.5.19 and related controls (A.5.20 supplier agreements, A.5.21 ICT supply chain, A.5.22 supplier services)
- Reuse supplier‑risk work across SOC 2, NIS 2, DORA, ISO 27701, ISO 22301 and sector frameworks instead of building fresh spreadsheets for each
ISMS.online lets you design this lifecycle once, apply it to every new MSP, and show auditors, customers and your board that your supplier control is consistent and risk‑based, not improvised by whichever manager signed the last contract. That is especially helpful when you are a compliance Kickstarter or practitioner trying to do all this alongside your day job.
Which contract and SLA elements matter most for MSP oversight under Annex A.5.19?
The contract and SLA elements that matter most are the ones that turn your expectations into clear, enforceable commitments, so you are not arguing about security in the middle of an outage.
What should you insist on in a security‑aware MSP agreement?
Five clusters carry most of the practical weight:
- Security and access management:
Minimum controls (for example, multi‑factor authentication, standard patch windows, secure remote access), clear rules for granting, reviewing and revoking privilege, and access to logs when you need to investigate.
- Incident notification and cooperation:
Defined triggers, timelines, escalation paths and reporting content, plus how joint triage, containment, forensics and recovery will work in practice.
- Data protection and confidentiality:
Roles (controller/processor), data categories, processing purposes, storage locations, sub‑processors, cross‑border transfers, and support for breach notification and data‑subject rights across regimes like GDPR and CCPA.
- Assurance and audit rights:
Which assurance artefacts you will receive (ISO 27001/27701 certificates, SOC 2 reports, penetration‑test summaries), how often, and under what conditions you can request deeper assessment or an on‑site/remote visit.
- Exit and transition support:
Obligations to return or securely erase data, hand over documentation, assist a move to a new provider, and support continuity and recovery plans.
Standardising these into a short security and resilience schedule keeps legal, security, procurement and privacy aligned. You can then handle exceptions through a documented risk‑acceptance process, and you have a much stronger storey when customers or regulators ask how Annex A.5.19 is embedded in your supplier agreements.
How does an Annex L‑style IMS make those clauses easier to maintain?
If you run an integrated management system for security, privacy, continuity and quality, you can:
- Align contract language with ISO 27001 Annex A, ISO 27701, ISO 22301 and sector rules such as NIS 2 and DORA
- Reuse the same clause sets across standards instead of juggling separate contract templates that drift over time
- Demonstrate that supplier controls are consistent across risk, continuity and data‑protection programmes
ISMS.online can store those standard schedules as controlled documents, link them directly to supplier records, and keep approvals and version history together. When an auditor or customer asks which clauses apply to a specific MSP, you can show them quickly instead of combing through shared drives and email chains.
How should you monitor MSPs so Annex A.5.19 is clearly operating, not just written down?
Annex A.5.19 looks alive when you can show that MSP performance, risk and assurance are reviewed on a predictable cadence, with clear decisions and follow‑through, rather than revisited only before certification.
What does credible ongoing oversight look like for different supplier tiers?
For each risk tier, you want three things in place:
- A defined review rhythm:
For example, critical MSPs reviewed at least quarterly, important providers twice a year, and lower‑impact suppliers annually or on material change.
- Agreed inputs:
A mix of:
- External assurance: ISO certificates, SOC reports, vulnerability or penetration‑test summaries
- Incident and outage reports, including root‑cause analysis
- SLA / availability data, change failure rates, backlog and ticket trends
- Internal signals such as recurring issues, user complaints or near‑misses
- Documented decisions and actions:
Updated risk ratings, agreed remediation plans with owners and deadlines, triggers for renegotiation or exit when posture or performance changes, and evidence that actions have been closed or consciously accepted.
Rather than inventing new committees, most organisations get better results by folding supplier reviews into forums that already exist, such as:
- Service reviews with MSPs
- Change advisory boards
- Risk and compliance committees
- Business continuity or resilience meetings
That way, supplier issues are weighed alongside other risks, and it is clear to the board how Annex A.5.19 fits into wider resilience and risk management.
How can ISMS.online help you show that oversight is continuous?
In ISMS.online you can:
- Set review cadences for each risk tier, assign owners and associate each MSP with the governance meetings that cover them
- Store assurance reports, review minutes, incidents, risk ratings and actions within the supplier record
- Track remediation and improvement actions to closure and visualise status in dashboards used by CISOs, DPOs, internal audit and business leaders
The result is a defensible audit trail that supplier oversight is running all year round, not just revived during certification season, and a much easier conversation when customers or regulators ask how you keep outsourced services under control.
How can ISMS.online help you evidence and manage Annex A.5.19 for MSPs without adding headcount?
ISMS.online helps you run Annex A.5.19 with the team you already have by pulling supplier lifecycle, risk thinking, contracts and oversight into one environment and making that work reusable across frameworks.
What changes when MSP oversight moves into a single ISMS.online workspace?
Organisations typically see three practical shifts:
- Sharper visibility of exposure:
Your key MSPs, their risk tiers, linked assets and services, contracts, assurance documents, incidents and actions all sit in a structured supplier register. When a CISO, privacy officer or board member asks “Who owns this provider, how risky are they and what are we doing about it?”, you can answer within minutes.
- Consistent ways of working across teams:
Shared workflows for scoping, due diligence, contracting, onboarding, operation, change and exit mean security, legal, procurement, operations and privacy teams all follow the same playbook. That consistency is exactly what auditors, regulators and large customers look for when they assess your control over outsourced services.
- Calmer responses to audits and due‑diligence requests:
Because documents, decisions and mappings to Annex A.5.19, A.5.20–A.5.22, NIS 2, DORA, SOC 2 and sector requirements are already linked to each supplier, you can answer certification audits, customer questionnaires and board questions quickly, without weeks of manual evidence‑hunting.
If you want to see how this could work in practice, a low‑risk next step is to take two or three real MSPs and walk them through a sample lifecycle in ISMS.online – from scoping and due diligence to live reviews and an exit plan. That short exercise will show you where you can replace manual effort, close obvious gaps and tell a confident, joined‑up Annex A.5.19 storey that fits how you want to be seen as a compliance Kickstarter, senior security leader, privacy owner or practitioner running the day‑to‑day work.
