ISO 27001:2022 - A5.20 Addressing information security within supplier agreements

Updated: 4 days ago

As stated previously in Annex A5.19 – Information security in supplier relationships, there is a lot of cross-over in these specific controls, therefore you should not look at this control in isolation. You should review this post alongside A5.19, A5.21, A5.22 and A5.23

The handy guide to all ISO27001:2022 Annex A Controls

What does the standard require?

The standard states that “Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.” (A5.20 Addressing information security within supplier agreements).

Why is this required?

As previously discussed in A5.19, ensuring you know who is entering your logical or physical domains is essential. Suppliers tend to have greater levels of access, which is often unchecked, and therefore pose a very real risk to your security.

Had there been an agreement with the refrigerator company, with Target, that outlined the roles and responsibilities towards information security then the incident might not have occurred at all.

Putting in place agreements with a supplier ensures you are clear about your responsibilities, and they are clear on theirs. It’s also worth noting here that, depending on the kind of supplier you have, you may need to ensure there is a data processing agreement (DPA) in place that clearly defines responsibilities are on both parties.

What the auditor is looking for

The auditor will want to see that there are agreements and contracts in place with your key suppliers, especially those that either process data for you, or have access to it.

Specifically, the auditor will want to see agreements that contain;

Clearly defined roles and responsibilities
Confidentiality clauses
Incident response and escalation details
Access control restrictions and requirements
Consequence of non-compliance with the agreement (on both parties)
Termination clauses

The auditor will also expect to see some form of regular supplier review process. Again, this does not need to be documented, but you should be able to evidence regular service reviews are in place and actions that come out of these are discussed and actioned.

What do you need to do?

Review any Supplier Agreement templates you may have, to ensure they contain the information described above. If they don’t currently, then you should update them to ensure they contain the necessary information. You might want to consider getting legal advice for this control, as service agreements are legally binding, so you don’t want to leave this one to ‘ChatGPT’ to write it for you!

The handy guide to all ISO27001:2022 Annex A Controls

Q & A

How do we ensure suppliers comply with our agreements?

Firstly, these should be defined (i.e. written down), and agreed prior to the service being provided. Having regular reviews to ensure everything is on track will reduce the risk of non-compliance. It is far better to have these meetings regularly so that there are no issues, but if there are problems, the agreement should include clear consequences for non-compliance.

How often should we review our agreements?

This depends on the kind of agreement in place, but at the very least your supplier agreements should be reviewed annually. Again, this ensures that everyone is clear about what the service is, and how it should be delivered. Any deviation from the agreement can be quickly addressed to ensure everything remains on track. The longer you leave it between reviews, the harder this may become.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to conduct a review of your supplier agreements and capture the saliant points (noted above). These can be added to your Supplier Register with dates for review alongside them.

Consultants Like Us