top of page

ISO 27001:2022 - A5.20 Addressing information security within supplier agreements

Updated: May 14

As stated previously in Annex A5.19 – Information security in supplier relationships, there is a lot of cross-over in these specific controls, therefore you should not look at this control in isolation.  You should review this post alongside A5.19, A5.21, A5.22 and A5.23


What does the standard require?

The standard states that “Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.” (A5.20 Addressing information security within supplier agreements).


Why is this required?

As previously discussed in A5.19, ensuring you know who is entering your logical or physical domains is essential.  Suppliers tend to have greater levels of access, which is often unchecked, and therefore pose a very real risk to your security.


Had there been an agreement with the refrigerator company, with Target, that outlined the roles and responsibilities towards information security then the incident might not have occurred at all.


Putting in place agreements with a supplier ensures you are clear about your responsibilities, and they are clear on theirs.  It’s also worth noting here that, depending on the kind of supplier you have, you may need to ensure there is a data processing agreement (DPA) in place that clearly defines responsibilities are on both parties.


What the auditor is looking for

The auditor will want to see that there are agreements and contracts in place with your key suppliers, especially those that either process data for you, or have access to it.


Specifically, the auditor will want to see agreements that contain;


  • Clearly defined roles and responsibilities

  • Confidentiality clauses

  • Incident response and escalation details

  • Access control restrictions and requirements

  • Consequence of non-compliance with the agreement (on both parties)

  • Termination clauses


The auditor will also expect to see some form of regular supplier review process.  Again, this does not need to be documented, but you should be able to evidence regular service reviews are in place and actions that come out of these are discussed and actioned.


What do you need to do?

Review any Supplier Agreement templates you may have, to ensure they contain the information described above. If they don’t currently, then you should update them to ensure they contain the necessary information.  You might want to consider getting legal advice for this control, as service agreements are legally binding, so you don’t want to leave this one to ‘ChatGPT’ to write it for you!


Q & A

How do we ensure suppliers comply with our agreements?

Firstly, these should be defined (i.e. written down), and agreed prior to the service being provided.  Having regular reviews to ensure everything is on track will reduce the risk of non-compliance. It is far better to have these meetings regularly so that there are no issues, but if there are problems, the agreement should include clear consequences for non-compliance.


How often should we review our agreements?

This depends on the kind of agreement in place, but at the very least your supplier agreements should be reviewed annually. Again, this ensures that everyone is clear about what the service is, and how it should be delivered. Any deviation from the agreement can be quickly addressed to ensure everything remains on track. The longer you leave it between reviews, the harder this may become.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little if any technical skill to understand the requirement. You need to conduct a review of your supplier agreements and capture the saliant points (noted above).  These can be added to your Supplier Register with dates for review alongside them.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.


7 views0 comments


bottom of page