The supplier register captures all external service providers that have access to your information or IT systems. Each supplier is documented with their security requirements, contractual framework, and the result of the most recent assessment.
ISO 27001 requires managing information security in supplier relationships (A.5.19) and monitoring and reviewing supplier services (A.5.22). NIS2 tightens supply chain security requirements in Art. 21(2)(d). The register is the central tool for implementing these requirements operationally.
What does it contain?
The CSV template covers the supplier relationship from onboarding to regular assessment:
- Supplier ID and name — unique identifier and company name
- Type of service — cloud service, development, hosting, consulting, physical services
- Access to information/systems — which data and systems are affected?
- Risk rating — low, medium, high, critical
- Contractual security requirements — DPA, SLA, audit rights, incident notification obligations
- Certifications — ISO 27001, SOC 2, C5, or other evidence
- Last assessment and result — date and outcome
- Next planned assessment — deadline for the next review
How to use it
Inventory all external parties. Start by collecting every service provider that has access to information or systems. Frequently overlooked suppliers include the external accountant with ERP access, the printer vendor with remote maintenance access, and the marketing agency with CRM access.
Risk rating and contract review. Each supplier is assessed based on the risk the relationship poses. High risk ratings require more comprehensive contractual provisions — data processing agreement, security requirements, audit rights, incident notification obligations. Review existing contracts for these clauses and document any gaps.
Ongoing monitoring. Supplier assessments are an ongoing effort. On a defined schedule (annually for standard suppliers, semi-annually or quarterly for critical ones), you check certification status, incident history, and contract compliance. Results flow back into the register and, where needed, into the risk register.
| ID | Lieferant | Leistung | Kategorie | Kritikalität | Datenzugriff | Standort | Vertragsbeginn | Vertragsende | AVV unterzeichnet | Zertifizierungen | Letzte Prüfung | Prüfergebnis | Nächste Prüfung | Status | Verantwortlich |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SUP-001 | Amazon Web Services | Cloud-Infrastruktur (eu-central-1) | IaaS | Kritisch | Kundendatenbank + Backups | Frankfurt DE | 2023-01-01 | 2026-12-31 | Ja | ISO 27001 SOC 2 C5 | 2026-01-15 | Zufriedenstellend | 2027-01-15 | Aktiv | IT-Betriebsleitung |
| SUP-002 | Microsoft | M365 + Azure AD | SaaS | Kritisch | E-Mail + Dateien + Identität | EU-Cloud | 2022-06-01 | 2026-05-31 | Ja | ISO 27001 SOC 2 C5 | 2025-11-20 | Zufriedenstellend | 2026-11-20 | Aktiv | ISB |
| SUP-003 | Personio | HR SaaS | SaaS | Hoch | Mitarbeiter-Stammdaten Lohnabrechnung | München DE | 2023-03-01 | 2026-02-28 | Ja | ISO 27001 | 2025-12-01 | Zufriedenstellend | 2026-12-01 | Aktiv | HR-Leitung |
| SUP-004 | Vendor X Logistics | Logistikportal SaaS | SaaS | Kritisch | Kundensendungen | Amsterdam NL | 2024-01-01 | 2027-12-31 | Ja | ISO 27001 | 2026-02-10 | Zufriedenstellend - ein kleines Finding | 2027-02-10 | Aktiv | Operationsleitung |
| SUP-005 | SecureIT GmbH | Datenvernichtung | Dienstleistung | Niedrig | Physische Medien | Hamburg DE | 2022-01-01 | 2026-12-31 | N/A | DIN 66399 | 2025-09-01 | Zufriedenstellend | 2026-09-01 | Aktiv | IT-Betriebsleitung |
| SUP-006 | CleanOffice GmbH | Büroreinigung | Dienstleistung | Niedrig | Physische Räumlichkeiten | Hamburg DE | 2023-06-01 | 2026-05-31 | Nein (nur NDA) | N/A | 2025-10-01 | Zufriedenstellend | 2026-10-01 | Aktiv | Facility-Leitung |
| SUP-007 | Fortinet (über Reseller) | Firewall-Hardware + Support | Hardware/Support | Hoch | Netzwerk-Metadaten | Fernwartung | 2024-01-01 | 2027-12-31 | N/A | ISO 27001 (Anbieter) | 2025-12-10 | Zufriedenstellend | 2026-12-10 | Aktiv | IT-Betriebsleitung |
| SUP-008 | Splunk | SIEM SaaS | SaaS | Hoch | Log-Daten (inkl. PII-Metadaten) | EU-Cloud | 2023-09-01 | 2026-08-31 | Ja | ISO 27001 SOC 2 | 2026-01-25 | Zufriedenstellend | 2027-01-25 | Aktiv | ISB |
| SUP-009 | Kanzlei Weber & Partner | Rechtsberatung | Dienstleistung | Mittel | Vertragsdaten | Hamburg DE | 2021-01-01 | Rollierend | Ja | N/A | 2025-11-01 | Zufriedenstellend | 2026-11-01 | Aktiv | CEO |
| SUP-010 | KPMG | Externes ISMS-Audit | Dienstleistung | Mittel | ISMS-Dokumentation | Hamburg DE | 2024-01-01 | 2026-12-31 | N/A (Auditor) | ISO 17021 | 2025-06-01 | Zufriedenstellend | 2026-06-01 | Aktiv | ISB |
| SUP-011 | DHL Express | Paketzustellung | Dienstleistung | Niedrig | Lieferadressen | Global | 2020-01-01 | Rollierend | Ja | N/A | 2025-11-15 | Zufriedenstellend | 2026-11-15 | Aktiv | Operationsleitung |
| SUP-012 | Let's Encrypt (ISRG) | TLS-Zertifikate | Dienstleistung | Mittel | Nur öffentliche Schlüssel | Global | 2022-01-01 | Rollierend | N/A | Web PKI Audit | 2026-01-01 | Zufriedenstellend | 2027-01-01 | Aktiv | IT-Betriebsleitung |
| ID | Supplier | Service | Category | Criticality | Data Accessed | Location | Contract Start | Contract End | DPA Signed | Certifications | Last Review | Review Result | Next Review | Status | Owner |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SUP-001 | Amazon Web Services | Cloud infrastructure (eu-central-1) | IaaS | Critical | Customer database + backups | Frankfurt DE | 2023-01-01 | 2026-12-31 | Yes | ISO 27001 SOC 2 C5 | 2026-01-15 | Satisfactory | 2027-01-15 | Active | IT Operations Lead |
| SUP-002 | Microsoft | M365 + Azure AD | SaaS | Critical | Email + files + identity | EU cloud | 2022-06-01 | 2026-05-31 | Yes | ISO 27001 SOC 2 C5 | 2025-11-20 | Satisfactory | 2026-11-20 | Active | ISO |
| SUP-003 | Personio | HR SaaS | SaaS | High | Employee master data payroll | Munich DE | 2023-03-01 | 2026-02-28 | Yes | ISO 27001 | 2025-12-01 | Satisfactory | 2026-12-01 | Active | HR Lead |
| SUP-004 | Vendor X Logistics | Logistics portal SaaS | SaaS | Critical | Customer shipments | Amsterdam NL | 2024-01-01 | 2027-12-31 | Yes | ISO 27001 | 2026-02-10 | Satisfactory - one minor finding | 2027-02-10 | Active | Head of Ops |
| SUP-005 | SecureIT GmbH | Data destruction | Service | Low | Physical media | Hamburg DE | 2022-01-01 | 2026-12-31 | N/A | DIN 66399 | 2025-09-01 | Satisfactory | 2026-09-01 | Active | IT Operations Lead |
| SUP-006 | CleanOffice GmbH | Office cleaning | Service | Low | Physical premises | Hamburg DE | 2023-06-01 | 2026-05-31 | No (NDA only) | N/A | 2025-10-01 | Satisfactory | 2026-10-01 | Active | Facilities Lead |
| SUP-007 | Fortinet (via reseller) | Firewall hardware + support | Hardware/Support | High | Network traffic metadata | Remote support | 2024-01-01 | 2027-12-31 | N/A | ISO 27001 (vendor) | 2025-12-10 | Satisfactory | 2026-12-10 | Active | IT Operations Lead |
| SUP-008 | Splunk | SIEM SaaS | SaaS | High | Log data (including PII metadata) | EU cloud | 2023-09-01 | 2026-08-31 | Yes | ISO 27001 SOC 2 | 2026-01-25 | Satisfactory | 2027-01-25 | Active | ISO |
| SUP-009 | Kanzlei Weber & Partner | Legal counsel | Service | Medium | Contract data | Hamburg DE | 2021-01-01 | Rolling | Yes | N/A | 2025-11-01 | Satisfactory | 2026-11-01 | Active | CEO |
| SUP-010 | KPMG | External ISMS audit | Service | Medium | ISMS documentation | Hamburg DE | 2024-01-01 | 2026-12-31 | N/A (auditor) | ISO 17021 | 2025-06-01 | Satisfactory | 2026-06-01 | Active | ISO |
| SUP-011 | DHL Express | Parcel delivery | Service | Low | Shipment addresses | Global | 2020-01-01 | Rolling | Yes | N/A | 2025-11-15 | Satisfactory | 2026-11-15 | Active | Head of Ops |
| SUP-012 | Let's Encrypt (ISRG) | TLS certificates | Service | Medium | Public keys only | Global | 2022-01-01 | Rolling | N/A | Web PKI audit | 2026-01-01 | Satisfactory | 2027-01-01 | Active | IT Operations Lead |
Sources
- ISO/IEC 27001:2022, A.5.19 — information security in supplier relationships
- ISO/IEC 27001:2022, A.5.22 — monitoring and review of supplier services
- NIS2 Directive (EU 2022/2555), Art. 21(2)(d) — supply chain security