Your ISMS boundary does not end at your office door or your own systems. The moment a supplier — a SaaS tool, a cloud provider, a contractor, a payroll processor — can access your data or infrastructure, they become part of your information security risk picture. ISO 27001 makes you responsible for managing that risk, not just your own internal controls.
Annex A.5.19 through A.5.22 in the 2022 version of the standard covers supplier relationships in four controls. They are among the most commonly under-implemented areas in first-time certifications — and among the areas auditors ask the most questions about.
The Four Supplier Controls and What Each Requires
| Control | Title | Core requirement |
|---|---|---|
| A.5.19 | Information security in supplier relationships | Identify and document requirements for managing information security risks associated with suppliers. Have a supplier security policy. |
| A.5.20 | Addressing information security within supplier agreements | Information security requirements must be established and agreed with each supplier. Contracts or DPAs must cover specific security obligations. |
| A.5.21 | Managing information security in the ICT supply chain | Address security risks associated with the ICT products and services supply chain — e.g. software components, hardware, cloud infrastructure. |
| A.5.22 | Monitoring, review and change management of supplier services | Regularly monitor and review supplier service delivery. Manage changes to supplier arrangements, including renegotiating agreements when needed. |
Categorise Suppliers by Risk Tier
Not every supplier carries the same risk. A stationery supplier is not the same as a cloud infrastructure provider. Before you assess individual suppliers, define your risk tiers so you know how much scrutiny to apply to each.
Suppliers with direct access to production data or systems
Cloud providers (AWS, Azure, GCP), database administrators, managed security services, core SaaS tools that process customer data. Require full security assessment, contractual security clauses, annual review.
Suppliers with limited or indirect access to systems or data
HR platforms, CRM tools, marketing automation, contractors with restricted system access. Require a baseline questionnaire, DPA where applicable, periodic review.
Suppliers with no access to information assets
Office supplies, facilities, couriers. No security assessment required. Include in supplier register with tier classification and brief justification.
What a Supplier Security Assessment Covers
For Critical and Standard suppliers, your assessment should cover: whether they hold a relevant security certification (ISO 27001, SOC 2), how they protect data in transit and at rest, their incident notification obligations, their sub-processor arrangements, their data retention and deletion practices, and their access control policies for staff who can access your data.
You do not need to audit every supplier on-site. Reviewing their published security documentation, certifications, and completing a short questionnaire is sufficient for most. The key is that the assessment is documented and the outcome is recorded.
What to Include in Supplier Agreements
A.5.20 requires that information security requirements are established and agreed in writing with each relevant supplier. For Critical suppliers, your contract or DPA should address:
- The supplier's obligation to protect information assets to a defined standard
- Right to audit or receive audit reports (e.g., SOC 2 Type II)
- Incident notification obligations — how quickly must they notify you?
- Sub-processor restrictions and approval requirements
- Data handling, retention, and deletion requirements on contract termination
- Return of assets and secure data disposal procedures
Annual Supplier Reviews
A.5.22 requires ongoing monitoring and review. For most organisations this means: an annual review of Critical supplier security posture (re-reviewing certifications, checking for major incidents or breaches at the supplier, re-running the questionnaire if significant time has passed), and a log of any changes to supplier arrangements during the year.
What auditors ask for
In a Stage 2 audit, expect auditors to ask for your supplier register, your supplier security policy, evidence of at least one supplier assessment, and a sample contract or DPA showing security clauses. They may also ask how you were notified of a recent supplier incident or change. Have these documents indexed and ready to present — hunting for them during an audit wastes time and erodes confidence.
If you want help implementing your supplier security programme, our ISO 27001 consulting service covers supplier management controls as part of the full Annex A implementation.