Control 5.19 Information Security in Supplier Relationships

What is Control 5.19?

Control 5.19 is all about keeping your information safe when working with suppliers. It guides you on setting up processes to manage any security risks suppliers might bring, from evaluating and selecting secure partners to handling incidents and ending relationships smoothly.

Control Type

Information Security Properties

Cybersecurity Concepts

Operational Capabilities

Security Domains

Understanding Control 5.19

Control 5.19 is all about keeping your organization’s data safe when working with suppliers. At its core, it ensures that you set up the right processes to manage security risks tied to any products or services suppliers provide. The purpose? To build trusted relationships with suppliers without compromising your data security.

The key objectives of Control 5.19 include defining clear security expectations for your suppliers, evaluating and selecting only those who meet these standards, and monitoring their compliance over time. By following this control, you’re working toward outcomes like secure supplier interactions, a lower risk of data breaches, and peace of mind knowing your data is protected throughout the supply chain.

Key Components of Control 5.19

Setting Up Processes and Procedures: First, establish clear steps to manage any security risks tied to suppliers, from choosing the right partners to ongoing risk management.
Creating Supplier Policies: Define and communicate policies specific to supplier relationships, ensuring everyone understands security expectations.
Identifying Supplier Types: Document the types of suppliers (like IT services, logistics, or financial services) that impact your information security to understand where potential risks lie.
Evaluating and Selecting Suppliers: Choose suppliers based on the sensitivity of the information or services they’ll handle, using criteria like certifications, on-site visits, or references to ensure they meet your security needs.
Defining Access Levels: Clearly outline what information, systems, and infrastructure suppliers can access, so you have a secure foundation for each relationship.
Assessing Risks: Look for potential security risks with each supplier, including those from their products, systems, or even personnel, and take steps to address them.
Monitoring Compliance: Regularly check that suppliers meet your security requirements, from reviewing their security controls to validating their products.
Incident and Contingency Handling: Set up protocols for managing any security incidents with supplier products or services, so you’re ready to act if issues arise.
Secure Termination: When the relationship ends, follow secure steps to revoke access, transfer information securely, and handle any remaining data or assets.
Building Resilience and Recovery Plans: Have a backup plan in case a supplier becomes unavailable, such as an alternate supplier, to ensure your operations stay resilient.

Implementation Guide for Control 5.19

1. Identify Supplier Types → List all suppliers impacting your information security (e.g., IT, logistics, cloud services).
2. Define Evaluation Criteria → Set standards for selecting secure suppliers, like checking certifications, references, or performing on-site assessments.
3. Select and Approve Suppliers → Choose suppliers who meet your security criteria and document their approval.
4. Define Access Levels → Clearly specify what information, systems, or physical assets suppliers can access.
5. Assess Security Risks → Identify and address security risks specific to each supplier, including potential vulnerabilities or malicious activities.
6. Establish Monitoring Procedures → Set up regular reviews to ensure suppliers maintain your security standards, like audits or product checks.
7. Prepare for Incidents → Define steps for handling security incidents involving suppliers to react swiftly if issues occur.
8. Plan for Secure Termination → Outline steps for securely ending a supplier relationship, such as revoking access and ensuring data is safely transferred or deleted.
9. Train Your Team → Ensure employees understand how to interact securely with suppliers, especially those with high access to your information.

Compliance with Control 5.19

Set Clear Requirements → Define security expectations for each type of supplier, focusing on confidentiality, integrity, and availability.
Include in Contracts → Add specific security clauses to supplier agreements to formalize compliance expectations.
Conduct Regular Audits → Schedule audits to review whether suppliers are consistently meeting your security requirements.
Monitor Access Levels → Track supplier access to sensitive information and systems, adjusting permissions as needed.
Request Compliance Reports → Ask suppliers for regular reports on their security practices to stay informed about their compliance.
Enforce Corrective Actions → Promptly address any non-compliance issues to minimize risk, working with suppliers to resolve gaps.
Document Compliance Efforts → Keep thorough records of all compliance checks, audits, and corrective actions taken.
Update Requirements Regularly → Review and adjust security requirements to keep pace with evolving risks and needs.

Challenges and Solutions

Implementing Control 5.19 can come with some challenges, but knowing what to expect and how to handle it makes the process smoother.

Challenge: Finding Suppliers That Meet Security Standards
Solution: Not every supplier will have strong security practices in place, especially smaller vendors. Start with a clear set of evaluation criteria and focus on essentials like certifications, security policies, and past references. For critical services, consider working with suppliers with established security credentials to reduce risks.
Challenge: Keeping Up with Supplier Compliance
Solution: Monitoring compliance can feel overwhelming, especially if you have many suppliers. Set up a regular audit schedule and consider using automated tools to track and flag compliance. Maintaining a log of each supplier’s security status helps keep things organized and manageable.
Challenge: Handling Incidents Quickly and Effectively
Solution: Incidents can happen unexpectedly, so having a response plan is key. Define roles and actions ahead of time, both within your team and with your suppliers, to ensure everyone knows their part. Quick communication channels and incident handling protocols make it easier to address issues as soon as they arise.
Challenge: Managing Secure Terminations
Solution: Ending a supplier relationship securely takes planning. Before termination, ensure all access rights are revoked, and agree on steps for transferring or securely deleting any remaining data. Creating a termination checklist can simplify the process and make sure nothing is overlooked.
Challenge: Training Your Team on Supplier Security
Solution: Your team plays a big role in managing supplier relationships securely. Hold regular training sessions so employees understand the importance of supplier security, the rules for supplier access, and how to spot potential issues. This keeps everyone prepared and aligned with your security standards.

FAQ

What is the main goal of Control 5.19?
The goal is to ensure that all suppliers with access to your information meet security standards that protect your data’s confidentiality, integrity, and availability.
How do I evaluate a supplier’s security practices?
Start by checking for security certifications, conducting on-site visits if possible, and reviewing their policies. You can also look for references and conduct risk assessments to ensure they meet your requirements.
What should be included in a supplier contract for security?
A strong supplier contract should outline security requirements, access permissions, compliance expectations, and steps for incident handling and secure termination.
How often should I monitor supplier compliance?
Regular audits, ideally annually or biannually, are recommended. For higher-risk suppliers, more frequent checks may be necessary to stay on top of compliance.
What steps should I take if a supplier isn’t meeting security standards?
Address non-compliance promptly by working with the supplier to close security gaps. If issues persist, consider corrective actions or, if necessary, transitioning to another supplier.
How do I ensure security when ending a supplier relationship?
During termination, revoke all access rights, ensure the secure transfer or deletion of data, and document the entire process. Having a termination checklist is very helpful.
Does Control 5.19 apply to cloud service providers?
Yes, cloud providers fall under Control 5.19. You should assess their security measures, especially around data storage, access controls, and incident management. Also check out Control 5.23 which is a specific information security control for use of cloud services.

Additional Resources

For a deeper understanding and practical guidance on managing supplier security, here are some valuable resources:

ISO/IEC 27036-2 – This part of the ISO 27036 series dives into specific guidelines for supplier relationships, offering detailed information on selecting, monitoring, and terminating suppliers in a secure way.
NIST Supplier Security Risk Management Framework – NIST provides frameworks that align well with ISO 27001 and help enhance your supplier risk assessment practices.
ENISA Guidelines on Cloud Security – For those working with cloud providers (SaaS, PaaS, or IaaS), ENISA offers best practices on cloud security measures.

For a ready-to-use tool, consider our Procurement Supplier Risk Assessment Template. This template is for assessing the security of suppliers in various service categories, including SaaS, PaaS, and IaaS. It simplifies the evaluation process, making it easier to review suppliers’ security controls and compliance with your standards.