ISO/IEC 27001 Control 5.21: Managing information security in the ICT supply chain


Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Necessity of MidPoint

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

Implementation Overview

MidPoint can provide inventory of applications, including their classifications.

Implementation Details

This controls deals mostly with contractual obligations and organizational procedures, not so much with technical controls and measures. However, there are some advantages that midPoint can provide. Application inventory can be used to catalog third-party (cloud) services used by the organization. Classifications can be used to categorize the services, according to demonstrated certifications applicable to the services. Policy rules can be used to limit access to services with insufficient security levels or certifications.

Was this page helpful?
Thanks for your feedback