ISO/IEC 27001 Control 5.19: Information security in supplier relationships

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Supplier identities can be managed by midPoint, including their access rights and relation to supplier organizations.

Supplier identities, such as contractors or support engineers can be recorded in midPoint. Each type of supplier can be represented by a specific (auxiliary) archetype, applying specific policies (inducements in the archetypes, policy rules) for each type. MidPoint records all access granted to the supplier, allowing assessment of risk posed by individual supplier identities. Simulation capability can be used to preview and test effects of access right changes for individual suppliers or supplier types. Organizational structure can be used to group such external identities with respect to their mother companies, making sure all supplier identities and access rights are properly de-provisioned when a contract with a specific supplier is terminated. Classification can be used to limit supplier's access to classified information based on hard policy, e.g. prohibiting supplier identity to gain any role which gives access to systems classified as "sensitive". Application inventory can be used to catalog third-party (cloud) services used by the organization, including all entities that have access to them. Classifications can be used to categorize cloud services, according to the provided level of security and sensitivity of information stored there. Notifications can be used to communicate security policies and rules for acceptable use of information to suppliers, when gaining access to systems. All operations regarding supplier identities, access rights and well as other midPoint objects are recorded in the audit trail. Object history functionality can be used to demonstrate changes in supplier access rights over time.

MidPoint can manage access rights of suppliers, e.g., by creating temporary access rights automatically revoked on expired date, by creating a business role especially created for a specific supplier that can be easily monitored (who has access to that role) and revoked.