Supplier Security

Supplier security is about identifying and managing the information security risks that arise when your organisation uses external suppliers and partners. It is a requirement in both ISO 27001 and NIS2, and one of the most overlooked security areas in practice.

Back to Dictionary

Why is supplier security important?

Modern organisations depend on a large number of external suppliers: cloud providers, SaaS systems, consultants, outsourced IT functions and many others. These suppliers often have access to the organisation's data or systems, and they therefore introduce security risks that the organisation is obliged to manage.

Supply chain attacks, where an attacker compromises a supplier in order to attack its customers, are one of the fastest-growing threat types. The SolarWinds attack in 2020 and the MOVEit breach in 2023 are examples of this.

ISO 27001's requirements

ISO 27001:2022 addresses supplier security in Annex A controls 5.19–5.22:

5.19: Information security in supplier relationships.
5.20: Addressing information security within supplier agreements.
5.21: Managing information security in the ICT supply chain.
5.22: Monitoring, review and change management of supplier services.

Risk assessment of suppliers

Not all suppliers pose the same risk. A risk-based approach involves classifying suppliers according to:

Access to sensitive data or critical systems
Criticality to business operations
The supplier's own security maturity (e.g. ISO 27001 certification)

Supplier assessment: For high-risk suppliers, you should require documentation of their security level, for example via certificates, audit reports (SOC 2) or a completed security questionnaire.

Security requirements in supplier agreements

Security requirements must be included in supplier agreements and SLAs. This typically includes requirements for confidentiality, incident notification, access control, encryption, and the right to audit. Overlapping requirements with the GDPR's rules on data processing agreements should be coordinated.

Frequently Asked Questions about Supplier Security

What does ISO 27001 require for supplier security?

ISO 27001:2022 addresses supplier security in Annex A controls 5.19–5.22, covering information security in supplier relationships, supplier agreements, ICT supply chain management and monitoring of supplier services.

How should suppliers be risk-assessed?

Suppliers should be classified according to their access to sensitive data or critical systems, their criticality to business operations, and their own security maturity. High-risk suppliers should provide documentation such as ISO 27001 certificates or SOC 2 reports.

What security requirements should be in supplier agreements?

Supplier agreements should include requirements for confidentiality, incident notification, access control, encryption, data protection, audit rights and the right to terminate in case of serious security breaches.

Is supplier security required under both ISO 27001 and NIS2?

Yes. ISO 27001 addresses it through Annex A controls 5.19–5.22, while NIS2 Article 21(2)(d) requires measures regarding supply chain security. The requirements complement each other and can be addressed through a single supplier management framework.

What is the difference between supplier security and supply chain security?

Supplier security focuses on managing risks from your direct suppliers, particularly in the context of ISO 27001. Supply chain security is broader and includes the entire chain of sub-suppliers behind your direct suppliers, as emphasised by NIS2.