ISO/IEC 27001 Control 5.20: Addressing information security within supplier agreements


Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Some of the supplier contractual agreements can be enforced by midPoint policies.

Implementation Details

This controls deals mostly with contractual obligations, not so much with technical controls and measures. Most of the measures described in control 5.19 can be used to implement the contractual clauses of this control. MidPoint can make sure that access is granted to supplier identities only after all necessary contracts are in place (using clearance mechanism), e.g. only allowing access to users that have signed personal non-disclosure agreements. Audit trail and object history features can provide valuable information during management of incidents involving supplier identities and actions.

Was this page helpful?
Thanks for your feedback