How does EchelonGraph detect ISO 27001 A.5.19 violations?

EchelonGraph automatically detects ISO 27001 A.5.19 violations using scanner rule ISO27001-A519. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for ISO 27001 A.5.19?

Show the supplier inventory ranked by data access. Collect SOC 2 reports? Where is the most recent stored? What is the breach-notification SLA in vendor contracts? Walk me through onboarding a new vendor.

📋ISO 27001 A.5.19Rule: ISO27001-A519high

Information Security in Supplier Relationships

Description

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of suppliers' products or services.

⚠️ Risk Impact

Supplier compromises inherit to you. MOVEit Cl0p, SolarWinds, Codecov — each demonstrated that supplier security gaps become customer breaches.

🔍 How EchelonGraph Detects This

ISO27001-A519Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Maintain supplier inventory ranked by data access. Collect SOC 2 / ISO 27001 reports annually for Tier 1 suppliers. Negotiate contractual breach-notification SLA. Run annual supplier risk review.

💀 Real-World Attack Scenario

MOVEit Transfer breach (May 2023, Progress Software): hundreds of organisations using MOVEit had customer data exfiltrated by Cl0p ransomware group. Many organisations didn't realise MOVEit was a sub-processor (used by their HR vendor, payroll, or consulting firm). Total industry impact: $12B+.

💰 Cost of Non-Compliance

Third-party breaches: 61% of 2024 enterprise breaches involve supplier (Ponemon Third-Party Risk 2024). MOVEit alone: $12B industry. Avg vendor-related breach: $4.55M.

📋 Audit Questions

1.Show the supplier inventory ranked by data access.
2.Collect SOC 2 reports? Where is the most recent stored?
3.What is the breach-notification SLA in vendor contracts?
4.Walk me through onboarding a new vendor.

🎯 MITRE ATT&CK Mapping

T1195 — Supply Chain Compromise

⚡ Common Pitfalls

⛔Inventory missing sub-processors — Vendor A relies on Vendor B you don't know
⛔Collecting SOC 2 reports without reading them
⛔Generic questionnaires that don't probe risk for your data classification

📈 Business Value

Supplier risk management closes a category of exposure that's invisible until it breaches. The MOVEit incident demonstrated supply-chain risk is the dominant 2024 attack vector.

⏱️ Effort Estimate

Manual

20-40 hours annually for full supplier risk review

With EchelonGraph

EchelonGraph tracks supplier SOC 2 freshness + alerts on stale attestations

🔗 Cross-Framework References

SOC2-CC9.2GDPR-Art28

Automate ISO 27001 A.5.19 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →