Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.19 — Information Security in Supplier Relationships

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.19 ISO 27001ISO 27002BSI OPS.2.3

A SaaS provider suffers a data breach, exposing customer records of 200 client organisations. Investigation reveals that none of those organisations had assessed the provider’s security practices before signing the contract. A.5.19 requires that information security requirements are defined, agreed and monitored for every supplier relationship that touches organisational assets.

Modern organisations depend on dozens — sometimes hundreds — of suppliers. Each supplier relationship extends the attack surface. Without a structured approach, the weakest supplier becomes the weakest link.

What does the standard require?

  • Identify and document supplier risks. The organisation must identify which suppliers can access, process, store, communicate or provide IT infrastructure components for the organisation’s information. Each relationship must be risk-assessed.
  • Define security requirements. Based on the risk assessment, the organisation must define information security requirements for each supplier or category of supplier. These requirements must be documented and communicated.
  • Establish a supplier management process. A defined process must govern the full supplier lifecycle: selection, onboarding, ongoing monitoring, incident handling and offboarding.
  • Monitor and review. The organisation must verify at planned intervals that suppliers continue to meet the agreed security requirements. Changes in the supplier’s environment or the scope of services trigger reassessment.
  • Handle relationship termination. When a supplier relationship ends, the organisation must ensure return or destruction of information, revocation of access and fulfilment of any surviving obligations.

In practice

Build a supplier register. List every supplier with access to organisational information or systems. Record the type of data accessed, the classification level, the contract owner and the last assessment date. This register is the steering instrument for the entire supplier security programme.

Conduct risk assessments before onboarding. Before signing a contract, assess the supplier’s security posture using questionnaires, certification reviews (ISO 27001, SOC 2, C5) or third-party audit reports. Document the findings and any conditions attached to the approval.

Define minimum security requirements. Publish a set of baseline security requirements that apply to all suppliers. For critical suppliers, add specific requirements (e.g., encryption standards, incident notification within defined hours, right to audit). Include these requirements in contracts (see A.5.20).

Schedule periodic reviews. Review critical suppliers at least annually. Standard suppliers can follow a longer cycle (e.g., every two years). Each review confirms that the supplier still meets the agreed requirements and that the risk profile has not changed.

Plan for offboarding. When a relationship ends, execute a defined checklist: revoke all access, retrieve or confirm destruction of data, archive contractual records and verify that no residual dependencies remain.

Typical audit evidence

Auditors typically expect the following evidence for A.5.19:

  • Supplier register — central list of all suppliers with risk classification and assessment status
  • Risk assessment records — completed assessments per supplier or supplier category
  • Security requirements catalogue — documented baseline and tier-specific requirements
  • Periodic review records — evidence of regular reassessment and outcome documentation
  • Offboarding checklists — evidence that departing supplier relationships were properly closed
  • Incident records — evidence that supplier-related security events were handled according to process

KPI

% of suppliers with completed IS risk assessments

This KPI measures how many active supplier relationships have been formally assessed for information security risks. A supplier without a completed assessment represents an unquantified risk. Target for critical suppliers: 100%.

Supplementary KPIs:

  • Percentage of critical suppliers reviewed within the last 12 months
  • Average time to complete a supplier security assessment
  • Number of suppliers with unresolved security findings

BSI IT-Grundschutz

A.5.19 maps to BSI’s outsourcing and third-party management requirements:

  • OPS.2.3 (Use of outsourcing) — the central module for managing security in supplier and outsourcing relationships, covering risk assessment, contractual requirements, monitoring and termination.
  • CON.9.A9 (Information exchange agreements) — requires formal agreements governing the exchange of information with external parties, supporting the contractual dimension of supplier security.

A.5.19 establishes the strategic framework for the supplier security cluster:

Sources

Frequently asked questions

Does A.5.19 apply to every supplier?

The control applies to all suppliers whose products or services could affect the organisation's information security. A cleaning company with after-hours building access is in scope just as much as a cloud hosting provider. The depth of the risk assessment and the stringency of requirements should be proportional to the risk.

How do I assess a supplier's security posture?

Common approaches include security questionnaires, review of certifications (ISO 27001, SOC 2), on-site audits and third-party assessment reports. The method should match the criticality of the supplier relationship.

What if a supplier refuses to share security information?

Document the refusal and escalate internally. Depending on the risk, the organisation may accept the residual risk with management approval, impose compensating controls or terminate the relationship. A supplier's refusal to demonstrate adequate security is itself a risk indicator.