Annex A 5.19 verified ISO/IEC 27001:2022
Managing Information Security in Supplier Relationships
Ensure suppliers of products/services do not pose security risks through defined processes.
record_voice_over
Plain language
This control is about making sure the businesses you work with, like suppliers, don't accidentally expose or damage your company's sensitive information. Imagine your supplier's weak security becoming your problem – it could lead to data being leaked or tampered with, hurting your reputation or finances.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
verified ISO/IEC 27001:2022 Annex A 5.19
priority_high
Why it matters
If supplier information security risks are not managed, third-party access or insecure supplier services can cause data breaches, outages, and reputational damage.
settings
Operational notes
Regularly review supplier due diligence, contracts and SLAs for security clauses; reassess suppliers on change or incidents and update requirements based on risk.
02 — Implement
build
Implementation tips
- Procurement should develop a process for evaluating suppliers' security practices before signing contracts. They can start by asking suppliers about their security policies, certifications, and past incidents, ensuring to document these discussions.
- The IT manager should work with suppliers to define what parts of the company’s network and data they can access. This means setting clear boundaries and permissions, such as limiting access to only what's necessary for the service provided.
- Legal should include specific security requirements in all supplier contracts. They should detail expectations like data protection measures, incident reporting timelines, and consequences for breaches, aligning with standards like the Privacy Act 1988.
- The security officer should regularly review suppliers' compliance with your security standards. This could involve periodic audits or reviews of their security certifications to ensure they maintain adequate security practices.
- HR should provide training to employees about interacting safely with supplier personnel. This involves teaching staff how to handle sensitive information and what to do if they suspect a security issue.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest a list of all current suppliers with a description of the services provided.
GoodEach supplier is assessed for security risks, and there’s evidence of a documented evaluation process.
-
AskAsk for copies of contracts with key suppliers.
GoodContracts include specific security clauses aligning with legal and organisational standards.
-
AskRequest evidence of initial and ongoing supplier security assessments.
GoodThere is a record of regular assessments showing supplier compliance, with issues addressed promptly.
-
AskInquire about the process for granting and reviewing suppliers' access to your systems.
GoodAccess is limited to necessary functions, regularly reviewed and adjusted based on changes in service or risk level.
-
AskAsk for documentation of employee training related to supplier interactions.
GoodTraining is completed by relevant staff and covers interaction protocols, data sharing rules, and security awareness.
04 — Mappings
link
Cross-framework mappings
How Annex A 5.19 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (26) expand_less | ||
| ISM-0141 | ISM-0141 requires a specific supplier-relationship outcome: service provider contracts must document prompt cyber incident reporting to a... | |
| ISM-0280 | ISM-0280 requires organisations to select PP-evaluated products in preference to EAL-evaluated products when procuring evaluated products | |
| ISM-0285 | ISM-0285 mandates delivery of evaluated products consistent with evaluator-defined procedures | |
| ISM-0731 | ISM-0731 requires the CISO to oversee the organisation’s cyber supply chain risk management activities | |
| ISM-0840 | ISM-0840 mandates use of a certified third-party destruction service for outsourced destruction of media storing non-accountable material | |
| ISM-1073 | ISM-1073 mandates that service providers can access or administer organisational systems only when a contractual agreement is in place | |
| ISM-1451 | ISM-1451 ensures data types and ownership are clearly documented in service contracts | |
| ISM-1452 | ISM-1452 requires organisations to perform supply chain risk assessments across suppliers of operating systems, applications, IT/OT equip... | |
| ISM-1567 | ISM-1567 requires organisations to avoid using suppliers that have been assessed as high risk in the cyber supply chain | |
| ISM-1571 | ISM-1571 requires contractual arrangements to include the right for the organisation to verify a service provider’s compliance with secur... | |
| ISM-1572 | ISM-1572 requires contractual arrangements with service providers to document the regions/availability zones where data is processed, sto... | |
| ISM-1573 | ISM-1573 requires contracts with service providers to document how the organisation can access all logs relating to its data and services | |
| ISM-1575 | ISM-1575 requires a documented minimum one-month notification period for a supplier to cease services, written into service provider cont... | |
| ISM-1632 | ISM-1632 requires organisations to procure operating systems, applications, equipment and services from suppliers with a strong track rec... | |
| ISM-1786 | ISM-1786 requires an organisation to develop, implement and maintain an approved supplier list | |
| ISM-1787 | ISM-1787 requires that operating systems, applications, IT/OT equipment and services are sourced only from approved suppliers | |
| ISM-1788 | ISM-1788 requires organisations to identify multiple potential suppliers for critical operating systems, applications, IT/OT equipment, a... | |
| ISM-1790 | ISM-1790 focuses on ensuring IT/OT deliveries arrive without tampering and with integrity preserved | |
| ISM-1791 | ISM-1791 requires organisations to assess the integrity of delivered IT/OT operating systems, applications, equipment and services as par... | |
| ISM-1794 | ISM-1794 requires contractual terms that compel service providers to give at least one month’s notice before significant changes to their... | |
| ISM-1800 | ISM-1800 requires network devices to be flashed with trusted firmware before first use, which helps counter risks arising from vendor or ... | |
| ISM-1804 | ISM-1804 relates to contractual break clauses for cloud service security non-compliance | |
| ISM-1826 | ISM-1826 requires organisations to choose server vendors that demonstrate commitment to Secure by Design and secure programming practices... | |
| ISM-1882 | ISM-1882 requires organisations to procure operating systems, applications, IT/OT equipment and services only from suppliers that have de... | |
| ISM-2008 | ISM-2008 requires organisations to authorise medical devices before they enter SECRET/TOP SECRET areas using explicit assurance and suppl... | |
| ISM-2082 | ISM-2082 requires using a CBOM for imported third-party components during development to validate cryptographic support aligns with ASD‑A... | |
| sync_alt Partially overlaps (10) expand_less | ||
| ISM-0072 | Annex A 5.19 requires organisations to define and implement processes to manage information security risks arising from supplier products... | |
| ISM-0307 | ISM-0307 requires sanitising equipment and media before maintenance when an appropriately cleared technician is not used | |
| ISM-0824 | ISM-0824 advises personnel not to send or receive files via unauthorised online services | |
| ISM-1395 | ISM-1395 requires that service providers (and subcontractors) provide an appropriate level of protection for entrusted data | |
| ISM-1569 | ISM-1569 requires a documented and shared shared-responsibility model between supplier and customer to clearly assign security responsibi... | |
| ISM-1570 | ISM-1570 mandates periodic IRAP assessments for outsourced cloud service providers handling non-classified and classified data up to SECR... | |
| ISM-1576 | ISM-1576 requires that if a service provider accesses or administers an organisation’s systems in an unauthorised manner, the organisatio... | |
| ISM-1738 | ISM-1738 mandates regular verification of service provider compliance with contracted security requirements | |
| ISM-1785 | Annex A 5.19 requires defined and implemented processes and procedures to manage information security risks from suppliers’ products and ... | |
| ISM-1972 | ISM-1972 requires outsourced TOP SECRET cloud service providers (including SCI cloud services) to undergo an ASD assessor (or delegate) s... | |
| handshake Supports (17) expand_less | ||
| ISM-1178 | ISM-1178 requires that network documentation provided to third parties is restricted to the minimum necessary for contractual delivery | |
| ISM-1195 | ISM-1195 requires the use of a specifically evaluated MDM product to enforce mobile device management policy, which is a product assuranc... | |
| ISM-1203 | ISM-1203 requires a threat and risk assessment for each system by the system owner with the authorising officer | |
| ISM-1480 | ISM-1480 requires evaluated peripheral switches that bridge SECRET/TOP SECRET and lower classifications to undergo a high assurance evalu... | |
| ISM-1535 | ISM-1535 requires processes and supporting procedures to prevent AUSTEO, AGAO, and REL data from being exported to unsuitable foreign sys... | |
| ISM-1574 | ISM-1574 requires organisations to document data portability expectations (backup, migration, and decommissioning without data loss) in c... | |
| ISM-1577 | ISM-1577 requires an organisation’s networks to be segregated from their service providers’ networks as a concrete technical risk treatme... | |
| ISM-1631 | Annex A 5.19 requires organisations to manage information security risks associated with using supplier products or services through defi... | |
| ISM-1637 | ISM-1637 requires an organisation to maintain and regularly verify a register of outsourced cloud services | |
| ISM-1638 | ISM-1638 requires maintaining a comprehensive register of outsourced cloud services, including purpose, data sensitivity/classification, ... | |
| ISM-1736 | ISM-1736 requires organisations to maintain a current, verified register of managed services | |
| ISM-1737 | ISM-1737 requires organisations to maintain a comprehensive managed service register capturing provider details, purpose, data sensitivit... | |
| ISM-1756 | ISM-1756 requires organisations to develop, implement and maintain vulnerability disclosure processes and procedures for reporting softwa... | |
| ISM-1793 | ISM-1793 requires managed service providers (and their managed services up to SECRET) to undergo an IRAP assessment against the latest IS... | |
| ISM-1797 | ISM-1797 requires organisations to ensure installers, patches and updates are authenticated using digital signatures or cryptographic che... | |
| ISM-2027 | ISM-2027 requires cryptographic integrity/authenticity checks (signatures or secure hashes via a secure channel) for software artefacts p... | |
| ISM-2088 | ISM-2088 requires organisations to validate and verify AI training data to ensure it is reliable and accurate for model training | |
| link Related (2) expand_less | ||
| ISM-1568 | Annex A 5.19 requires processes and procedures to manage information security risks associated with suppliers’ products and services | |
| ISM-1789 | ISM-1789 necessitates verifying the authenticity of software, hardware, and services prior to their supply chain acceptance | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.