A.5.19 Information Security in Supplier Relationships

What is this control?

ISO 27001 control A.5.19 Information Security in Supplier Relationships maintains agreed levels of information security in supplier relationships by identifying and managing supply chain risks. The control classifies suppliers into risk tiers with Tier 1 for high-risk suppliers with data access and Tier 2 for low-risk commodity services. It applies formal due diligence, B2B access management, and continuous monitoring to suppliers who access organisational information.

How to implement in Microsoft 365

Implement A.5.19 through supplier tiering based on access to organisational data. All Tier 1 suppliers must complete the supplier due diligence checklist verifying ISO 27001 or SOC 2 certification, SAML or OIDC SSO capability, audit log export capability, and CISO sign-off. Provision supplier personnel as Microsoft Entra B2B Guest accounts using Access Packages with approval, justification, and automatic expiry.

Configure quarterly Access Reviews for B2B guest accounts requiring business owner re-certification. Ingest B2B sign-in logs into Microsoft Sentinel and configure DLP policies blocking sensitive data transfers to supplier domains.

What an auditor looks for

Auditors will verify completed supplier due diligence checklists with CISO sign-off for all Tier 1 suppliers. They will check B2B guest access review configuration showing quarterly reviews are configured. Auditors will review access review results demonstrating formal re-certification of supplier access.

They will verify Microsoft Sentinel monitoring is configured for B2B guest accounts. Auditors will check DLP policies are configured to monitor and block transfers to unapproved supplier domains. They will review contracts with required clauses including NDA, DPA, breach notification, and secure termination.

Related controls

• A.5.20
• A.5.18