Third-party relationships have become one of the largest sources of cybersecurity risk. The average organization now shares data with hundreds of external providers, and each relationship extends the attack surface beyond the systems the organization directly controls.
Supplier risk management is how organizations bring that extended attack surface under governance. Under ISO 27001, it is not a procurement courtesy or an annual questionnaire exercise. It is a set of auditable controls, defined in Annex A, that certification auditors test with the same rigor they apply to access management or incident response.
This guide provides a practical supplier risk management checklist mapped to the five ISO 27001:2022 supplier controls, explains the process behind each checklist item, and covers what modern organizations should do to mitigate supplier risks that traditional annual assessments consistently miss.
Concern
As organizations rely on growing networks of cloud providers, SaaS platforms, contractors, and outsourced service providers, supplier risk has become a core information security concern. Many organizations still manage supplier risk through annual questionnaires and static spreadsheets, leaving long blind spots between reviews. Auditors reviewing ISO 27001 environments now treat weak supplier risk management as a leading indicator of broader ISMS immaturity.
Overview
ISO 27001:2022 addresses supplier risk through five Annex A controls: 5.19 covering supplier relationships, 5.20 covering supplier agreements, 5.21 covering the ICT supply chain, 5.22 covering monitoring and change management, and 5.23 covering cloud services. Together they require a documented supplier risk management process spanning the full relationship lifecycle, from due diligence before onboarding through secure offboarding.
Solution
Organizations should maintain a complete supplier register with risk classifications, embed security requirements in every supplier contract, verify controls through evidence rather than self-attestation, monitor high-risk suppliers continuously, and define exit procedures before they are needed. The checklist in this guide translates each ISO 27001 supplier control into specific, verifiable actions that hold up during certification audits.
What Is Supplier Risk Management
Supplier risk management is the structured process of identifying, assessing, mitigating, and monitoring the security, operational, and compliance risks that external suppliers introduce to an organization. It covers every stage of the supplier relationship, from selection and contracting through ongoing oversight and termination, and it applies to any third party that accesses, processes, stores, or transmits organizational information.
Supplier risk management has evolved from a procurement concern into a board-level security priority. As organizations depend on larger ecosystems of cloud providers, SaaS platforms, contractors, and outsourced service providers, attackers increasingly exploit trusted supplier relationships to gain access to business systems and sensitive data. Every external relationship expands the attack surface and requires governance through consistent risk assessment, security controls, and ongoing oversight.
What Is Third-Party Risk Management and How Does It Relate
What is third-party risk management? It is the broader discipline of managing risks from all external parties an organization depends on, including suppliers, vendors, contractors, partners, and service providers. Supplier risk management is the subset focused specifically on the entities that provide goods and services, and in ISO 27001 environments the two terms are used largely interchangeably because the Annex A supplier controls apply to any third party with access to information assets.
The practical point for compliance teams is scope. An ISO 27001 supplier risk management program cannot limit itself to large technology vendors. It must cover cloud platforms, payroll processors, IT support firms, logistics providers, and any subcontractor whose access or failure could affect the confidentiality, integrity, or availability of information in the scope of the ISMS.
ISO 27001 Vendor Risk Management: The Five Supplier Risk Controls
ISO 27001 vendor risk management is built on five organizational controls in Annex A of the 2022 standard. Each control governs a different stage of the supplier relationship, and certification auditors expect documented evidence for all five.
-
Control 5.19 — Information security in supplier relationships
The parent control. It requires processes and procedures to manage the information security risks associated with the use of supplier products and services. In practice, this means a topic-specific supplier security policy, a documented method for identifying which suppliers can affect information security, and defined rules for how supplier risk is assessed and treated.
-
Control 5.20 — Addressing information security within supplier agreements
Security requirements must be established and agreed with each supplier based on the relationship's risk profile. Contracts should cover access restrictions, data handling obligations, incident notification timelines, audit rights, subcontractor obligations, and requirements to maintain certifications such as ISO 27001 or SOC 2 for the duration of the agreement.
-
Control 5.21 — Managing information security in the ICT supply chain
This control extends oversight beyond direct suppliers to the components and services embedded in the ICT products the organization buys. It addresses the fourth-party problem: the suppliers of your suppliers.
-
Control 5.22 — Monitoring, review, and change management of supplier services
Supplier oversight does not end at contract signature. Organizations must regularly monitor supplier security performance, review compliance with agreed requirements, and evaluate the risk impact of changes to supplier services, personnel, or ownership.
-
Control 5.23 — Information security for use of cloud services
New in the 2022 edition, this control requires organizations to define security requirements for acquiring, using, managing, and exiting cloud services. It reflects the reality that cloud providers are now most organizations' highest-dependency suppliers.
Together these controls define what auditors expect the program to demonstrate: documented policy, risk-based supplier classification, contractual enforcement, supply chain visibility, continuous oversight, and cloud-specific governance. A program that addresses only onboarding due diligence covers roughly one control out of five.
Weak supplier oversight is also one of the most common sources of ISO 27001 audit findings. Missing supplier registers, contracts without security clauses, and absent monitoring records are gaps auditors identify quickly because the evidence trail is either present or it is not. Organizations preparing for certification should treat the supplier controls with the same seriousness as access control and incident management.
The Supplier Risk Management Process: Five Stages
The supplier risk management process follows five stages: inventory and classification, due diligence, contractual controls, ongoing monitoring, and offboarding. Each stage produces the evidence that ISO 27001 auditors request, and weaknesses at any stage undermine the stages that follow.
Stage 1: Inventory and Risk Classification
Every program starts with a complete supplier register. Document all suppliers across business units, then classify each by risk using criteria such as data sensitivity, system access, operational criticality, and substitutability. Risk classification keeps oversight proportionate by applying deeper scrutiny to critical suppliers while using lighter governance for lower-risk relationships.
Stage 2: Due Diligence Before Onboarding
Assess supplier security posture before granting access, not after. Review independent evidence such as ISO 27001 certificates, SOC 2 Type II reports, and penetration test summaries rather than relying solely on self-completed questionnaires. For critical suppliers, verify claims through technical discussions with the supplier's security team. The depth of diligence should match the tier assigned in Stage 1.
Stage 3: Contractual Security Requirements
Convert security expectations into enforceable contract terms aligned with Control 5.20. Include the right to audit, breach notification within defined hours, data processing and residency terms, subcontractor pre-approval requirements, certification maintenance clauses, and termination rights when security obligations are breached. A requirement that exists only in a policy, and not in the contract, is unenforceable when it matters.
Stage 4: Ongoing Monitoring and Review
Monitor supplier security performance throughout the relationship. For critical suppliers, this means annual reassessments at minimum, review of updated certifications and audit reports, tracking of security incidents, and evaluation of material changes such as ownership transfers or new subcontractors. Mature supplier risk management programs supplement periodic reviews with continuous monitoring signals, closing the long detection gap that annual cycles leave open.
Stage 5: Secure Offboarding
Define exit procedures before they are needed. Offboarding should include revocation of all supplier access, return or verified destruction of organizational data, transfer of any dependencies, and a documented closure review. Orphaned supplier access is a recurring audit finding and a genuine attack vector, particularly for suppliers whose contracts ended without a formal termination process.
The ISO 27001 Supplier Risk Management Checklist
The following supplier risk management checklist translates the five Annex A supplier controls into verifiable actions. Each item should produce documented evidence, because in an ISO 27001 audit, an action without a record is treated as an action that did not happen.
Governance and Policy
- Establish and approve a topic-specific supplier security policy
- Maintain a complete supplier register covering all business units and locations
- Classify every supplier by risk tier using documented criteria
- Assign a named owner for each critical supplier relationship
Contracts and Agreements
- Embed security requirements in every supplier agreement, proportionate to risk tier
- Include audit rights, incident notification timelines, and data handling obligations
- Require pre-approval for subcontractors handling in-scope data
- Mandate maintenance of relevant certifications for the contract duration
Supply Chain Visibility
- Identify critical fourth parties behind your highest-risk suppliers
- Require suppliers to cascade security obligations to their subcontractors
- Assess concentration risk where multiple suppliers depend on the same platform
Monitoring and Change Management
- Reassess critical suppliers at least annually with evidence-based reviews
- Track supplier incidents, certification lapses, and material changes
- Document review outcomes and corrective actions to closure
Cloud Services
- Define security requirements for acquiring and using cloud services
- Document shared responsibility boundaries for each cloud provider
- Establish documented exit strategies for critical cloud dependencies
Organizations that work through this supplier risk management checklist systematically produce the evidence base that certification requires as a natural outcome, rather than assembling documentation retrospectively before an audit.
How to Mitigate Supplier Risks
Organizations looking to mitigate supplier risk management gaps should focus on the failure patterns that recur across third-party breaches: unmonitored access, stale assessments, unenforceable contracts, and invisible fourth parties. The following practices address each pattern directly.
-
Replace self-attestation with evidence
Questionnaires capture what suppliers say; evidence captures what they do. Prioritize independent audit reports, certifications verified against issuing body registers, and technical validation for critical suppliers. Supplier risks concentrate precisely where claims go unverified.
-
Move critical suppliers to continuous oversight
Annual reviews leave eleven-month blind spots. Supplier risk management software platforms now provide continuous external monitoring, alerting organizations to certificate expirations, exposed credentials, and disclosed breaches at their suppliers.
-
Enforce least-privilege supplier access
Grant suppliers the minimum access their service requires, time-bound where possible, with unique named accounts rather than shared credentials. Review supplier access rights on a defined schedule and revoke immediately at contract end. Access that outlives its purpose is among the most preventable supplier risks.
-
Prepare for supplier failure, not just supplier compromise
Security incidents are one supplier risk among several. Financial failure, service discontinuation, and acquisition by a competitor all disrupt operations. Business continuity planning should cover critical supplier failure scenarios with documented alternatives and tested recovery procedures.
-
Use tooling to scale, not to substitute for judgment
Supplier risk management software automates evidence collection, monitors control status, and maintains the audit trail, which matters when assessment volumes grow. But tooling does not replace the risk decisions themselves. Classification criteria, risk acceptance, and contract negotiation remain governance judgments that the organization must own. The strongest programs combine automated visibility with clearly assigned human accountability.
Conclusion
Supplier risk management has become one of the clearest dividing lines between organizations that treat ISO 27001 as a governance system and those that treat it as a certificate. The five Annex A supplier controls are specific, testable, and increasingly scrutinized as third-party breaches climb. The checklist in this guide maps directly to what certification auditors examine: policy, register, classification, contracts, supply chain visibility, monitoring records, and cloud governance.
The market context makes the case without exaggeration. Third-party involvement in breaches doubled in a single year. Downstream victim counts per breach reached record levels. Regulators from DORA to NIS2 now hold organizations accountable for their suppliers' security. Against that backdrop, a structured supplier risk management program is not a compliance formality. It is the mechanism by which an organization keeps its risk profile within the boundaries it has chosen.
At CertPro, we conduct ISO 27001 certification audits for organizations worldwide as a licensed CPA firm. Our auditors examine supplier registers, contractual controls, monitoring evidence, and offboarding records as part of every certification and surveillance engagement. We assess whether supplier oversight operates in practice, not just in policy, because that distinction is exactly what the standard requires and what enterprise customers increasingly verify.


