Episode 32 — A.5.19–5.20 — Supplier relationships; Supplier agreements

A.5.19 establishes that supplier relationships must be governed to protect the organization’s information and services. For the exam, focus on risk-based segmentation of suppliers—by data sensitivity, service criticality, connectivity, and substitution difficulty—and on due diligence that assesses security posture before onboarding. This includes evaluating certifications, SOC reports, vulnerability practices, breach history, resilience capabilities, and subcontractor dependencies. The control’s aim is to prevent external parties from becoming weak links, ensuring obligations for confidentiality, integrity, availability, and compliance are identified and monitored. Candidates should explain how supplier risk informs control selection, monitoring frequency, and contingency planning, and how findings feed into the ISMS’s continual improvement and incident preparedness.

A.5.20 requires that supplier agreements explicitly define security requirements and responsibilities. Contracts should codify data classification handling, encryption and key management expectations, access controls, breach notification timelines, audit and right-to-audit clauses, vulnerability disclosure duties, service levels for recovery time and recovery point, and exit provisions including data return and secure deletion. Practical evidence may include data processing agreements, security schedules, and appendices mapping controls to regulatory frameworks. Pitfalls include generic clauses that fail to reflect actual data flows, unclear subprocessor rules, and missing metrics to verify performance. Mature organizations maintain a clause library aligned to policy, standardize security questionnaires, and establish escalation paths for contract variances. Candidates should connect these requirements to verification mechanisms such as attestation refresh cycles, independent assessments, penetration testing scopes for managed services, and trigger-based reviews when a supplier changes ownership, regions, or architecture. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.