A.5.19 / A.5.20 — Are IS requirements addressed in supplier relationships and agreements?
Demonstrate that information security requirements are defined, communicated, and contractually established in all supplier relationships before service delivery begins, and that these agreements are monitored for compliance throughout the relationship lifecycle.
Description
What this control does
This control ensures that information security requirements are systematically identified, documented, and agreed upon with suppliers before service commencement, and that formal agreements codify these requirements with enforceable obligations. Organizations must establish processes to assess supplier risk, define security expectations covering data handling, access controls, incident management, audit rights, and termination procedures, and integrate these into procurement workflows and contracts. This control is critical because third-party relationships introduce supply chain risk, potential data exposure, and loss of direct operational control over security measures.
Control objective
What auditing this proves
Demonstrate that information security requirements are defined, communicated, and contractually established in all supplier relationships before service delivery begins, and that these agreements are monitored for compliance throughout the relationship lifecycle.
Associated risks
Risks this control addresses
- Suppliers accessing organizational data without adequate security controls, leading to unauthorized disclosure or data breach
- Lack of contractual incident notification requirements delaying breach response and regulatory reporting obligations
- Absence of audit rights preventing verification of supplier security postures and regulatory compliance
- Inadequate data handling or retention practices by suppliers violating data protection regulations
- Unclear security ownership during supplier transitions or contract terminations exposing sensitive information
- Insufficient access control requirements allowing supplier personnel excessive system privileges
- Missing secure development lifecycle obligations in software vendor contracts introducing vulnerabilities into production systems
Testing procedure
How an auditor verifies this control
- Obtain the organization's supplier management policy and procedures documenting how information security requirements are identified, assessed, and incorporated into supplier agreements.
- Review the supplier risk assessment methodology and criteria used to classify suppliers based on data sensitivity, system criticality, and access scope.
- Select a representative sample of 8-12 supplier agreements spanning high-risk, medium-risk, and low-risk categories across different service types (cloud, software, outsourcing, professional services).
- Examine each sampled agreement for presence of mandatory security clauses including data protection obligations, access control requirements, incident notification timelines, audit and inspection rights, subcontractor management, and secure termination procedures.
- Verify that information security requirements were documented prior to contract execution by reviewing procurement records, security questionnaires, and risk assessment outputs dated before agreement signatures.
- Interview procurement and information security personnel to confirm the process for reviewing and approving supplier agreements includes security stakeholder participation.
- Review evidence of ongoing supplier security compliance monitoring such as audit reports, security questionnaire responses, certification validations (ISO 27001, SOC 2), and performance reviews conducted during the audit period.
- Test a sample of recently onboarded suppliers to confirm security requirements were addressed before granting system access or data sharing by examining onboarding checklists, access approval records, and data sharing agreements.