top of page

ISO27001:2022 - A5.22 Monitoring, review and change management of supplier services

Updated: May 14

In ISO27001, Annex controls  A5.19, A5.20, A5.21, A5.22 and A5.23 are all related to supplier management. Clearly, therefore, managing suppliers is important. But perhaps the most important of all these is the need to monitor, review and then when necessary, manage any change to your suppliers.


What does the standard require?

The standard states that “The organisations shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.” (A5.22 Monitoring, review and change management of supplier services).


There are several parts to this control which, although there is some overlap, they need to be considered separately. These are;


  • Supplier monitoring

  • Supplier review

  • Changes to suppliers


Keep in mind that monitoring and reviewing are not the same thing.  Monitoring is an ongoing process, which might include proactively monitoring logs and activities on a daily basis to ensure work is conducted as prescribed in agreements.  Reviewing however, is analysing the actions and activities that have been taken to ensure they meet agreed service levels. Therefore, this part of the process should include meeting with the service provider to review the results of the monitoring activities.


Why is this required?

As with all these controls (related to supplier management), the primary purpose is to proactively identify any security risks associated to their products or services.  The key word here is ‘proactively’. This is why it’s important to monitor the way suppliers (their services and products) operate and satisfy your needs.  How are you monitoring this? Is it through logs? Is it through timesheets or through some ticketing system?


By monitoring their performance, you might identify some potential security threat or vulnerability.  Your monitoring process will ensure they are meeting pre-agreed service levels, which again need to be reviewed so that you can adjust the service so that it meets your specific needs.


Without the monitoring and review process in place, how do you know if they are meeting your needs or not? This is something that should be outlined within your service level agreements, which we discussed in detail in Annex A control, A5.20 - Addressing information security within supplier agreements.


Of course, if they are not meeting your need, then this control expects you to have a process for changing your suppliers in such a way that it does not disrupt your services or introduce risks to your business.  


With all of this said, it’s important to remember that monitoring and reviewing suppliers isn’t just about identifying risks, it’s also about identifying opportunities too.  First, you don’t want to leave your suppliers providing a sub-optimal service for a long period, without addressing it. This can lead you to issues and risks, but also, it’s bad for the relationship. Presumably you chose them because they have an excellent reputation, but as we all know, sometimes things can go off course. Having regular reviews can get you back on track if things have started going off track.


Second, by monitoring and reviewing suppliers, you might find that you can improve your security or save money by changing the way the contract works.  For example, if you’re paying for monthly ‘per-seat’ licences for software, you might find that an annual licence is more beneficial, easier and cost effective. 


Finally, for larger organisations, you might pay several suppliers who are doing the same thing (e.g. CCTV or alarm monitoring), and through the monitoring and review process, you may identify one supplier who is more efficient and cost-effective than another.


What the auditor is looking for

The auditor won’t be looking for a specific policy or procedure, but will be looking for evidence that you are monitoring and reviewing your suppliers.  If you have changed suppliers for any specific reason, then how you made this change should be evidenced too.


What do you need to do?

Specifically, evidence can include;

  • Logs of monitoring activities (e.g. access to your network(s))

  • Minutes of meetings with your supplier(s)

  • Questionnaires completed by your suppliers on an annual basis

  • Change management processes, showing decisions made about new suppliers.

  • Agreements changed or updated, based on reviews undertaken.


Remember that ISO27001 is risk based, therefore the level of monitoring and review will depend on the criticality of the supplier.  You won’t have to go to this level of rigour for your catering provider, unless you deem them to be critical.  However, you most likely will need this level of evidence for your outsourced IT service provider.


The level of scrutiny you place on your supplier depends on the level of access they have to your physical and logical processing facilities, so think about how important they are to your operation, and how impactful they are. These are the suppliers that need to be carefully managed.


Ensure you can collect the above information, especially the completed supplier questionnaires.


Q & A

How often should we review or monitor suppliers?

This depends on your organisation and the supplier in question. But we would suggest that at the very least, you ask key suppliers to complete a security questionnaire, so that you can evaluate their security posture.  For critical services, like Cloud, or ICT support, you would be best to have a quarterly review meeting to ensure they are meeting pre-agreed service levels. These levels can then be adjusted in accordance with your business needs.


Do we need to change suppliers, if they have a breach?

The short answer is no, you don’t have to change suppliers. 


But this all comes down to trust. 

This is one of the reasons you need to work closely with your suppliers and get to know them.  By meeting with them regularly you’ll build a stronger relationship, and you’re more likely to discover any issues, before you hear it online or in the press.


If the supplier has a breach, you need to understand

  • How did the breach occur?

  • How did they discover it?

  • When did they discover it?

  • When were you informed that it had happened?

  • Is it likely to happen again?


Based on the above, and the severity of the breach, you can make a decision on what you want to do – do you stay with the supplier? Or do you change?  If you change, how this will be managed is something that would be controlled through this annex A control.


Difficulty rating

We rate this a 1 out of 5 difficulty rating. This means that it requires little, if any technical skill to understand the requirement. This is only because it requires that you have a more detailed conversation with your ICT providers about what they are doing for you. Therefore you may come up against some additional technical areas which aren’t familiar to you. For example ‘Managed Service Providers’ is a very broad term for any ICT service which is managed on your behalf. This can be anything from a simple IT support service, to a fully managed network monitoring service, such as a Network Operations Centre (NOC) and a Security Operations Centre (SOC). 


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.

2 views0 comments


bottom of page