ISO/IEC 27001 Control 5.19: Information security in supplier relationships


Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Supplier identities can be managed by midPoint, including their access rights and relation to supplier organizations.

Implementation Details

Supplier identities, such as contractors or support engineers can be recorded in midPoint, using specific archetypes, applying specific policies (inducements in the archetypes, policy rules). MidPoint records all access granted to the supplier, allowing assessment of risk posed by individual supplier identities. Organizational structure can be used to group such external identities with respect to their mother companies, making sure all supplier identities and access rights are properly de-provisioned when contract with specific supplier is terminated. Classification can be used to limit supplier's access to classified information based on hard policy, e.g. prohibiting supplier identity to gain any role which gives access to systems classified as "sensitive". Application inventory can be used to catalog third-party (cloud) services used by the organization, including all entities that have access to them. Classifications can be used to categorize cloud services, according to provided level of security and sensitivity of information stored there. Notifications can be used to communicate security policies and rules for acceptable use of information to suppliers, when gaining access to systems.

Implementation Notes

  • Personal information protection should be considered when working with supplier, especially if cross-border transfer is involved, even more importantly in case of information transfer outside EU (see GDPR). MidPoint can provide an advantage in case that all personal information transfer is mediated by midPoint, as midPoint maintains record of information transfer, and it can also make sure that information erasure is properly initiated.


MidPoint can manage access rights of suppliers, e.g., by creating temporary access rights automatically revoked on expired date, by creating a business role especially created for a specific supplier that can be easily monitored (who has access to that role) and revoked.

Was this page helpful?
Thanks for your feedback