Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.20

Addressing information security within supplier agreements

Annex A control 5.20 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 15.1.2

No business is an island, and the vast majority rely on supplier relationships in order to function day-to-day. Control 5.20 offers guidance on these relationships, outlining how organisations should form supplier contracts based on security requirements. Suppliers and businesses must agree on mutually acceptable IS obligations, in order to manage risk.

Control 5.20 covers key factors like changes to supply chain policies, procedures, and controls. This includes improving and maintaining existing IS policies. Its use is determined by whether an organisation operates its own legal department.

The importance of control 5.20

There are several factors contributing to the relevance of control 5.20, including the criticality of business data, the types of suppliers affected, the nature of the change, risk factors, and the systems and processes involved.

Control 5.20 gives power to the organisation, giving a framework to the creation and maintenance of supplier relationships. Businesses should assess the intimacy of relationships and how able they are to influence or control security factors.

Key guidance for control 5.20

There are 25 guidance points within 5.20. ISO 27001 states that it is “possible to consider” these in order to meet information security requirements, which suggests that organisations may focus on the most relevant points and not necessarily all of the points.

The aim of these points is to give all parties involved in supplier relationships a clear understanding of their information security obligations, and the obligations of others.

The 25 guidance points are:

  1. Providing a clear description of what information needs to be accessed, and how it will be accessed.
  2. Classifying data by their classification schemes (see controls 5.10, 5.12, and 5.13.)
  3. Considering supplier information classification on how it relates to the organisation’s classification schemes.
  4. Dividing both parties’ rights into four categories: statutory, legal, contractual, and regulatory. Obligations should be outlined within these four areas, including copyright provisions and accessing personal data.
  5. Implementing concurrent measures for monitoring, assessing, and managing IS risks. This should be undertaken by all parties. Agreements should state that suppliers need to adhere with the organisation’s IS standards.
  6. Understanding what constitutes acceptable and unacceptable information.
  7. Putting procedures in place to ensure supplier personnel can access and view necessary information.
  8. Understanding how the supplier’s ICT infrastructure relates to the information the organisation plans to access.
  9. Considering necessary steps if suppliers breach the contract or fail to comply.
  10. Describing mutual incident management procedures to clarify how problems will be handled.
  11. Providing adequate awareness training across all parties, highlighting key areas like Incident Management and Information Sharing.
  12. Addressing the use of subcontractors, ensuring that any such individuals or companies are held to the same IS standards.
  13. Considering how supplier personnel are screened before accessing company data.
  14. Stipulating the need for third-party attestation by organisations for suppliers that comply with their IS requirements.
  15. Making use of the organisation’s right to evaluate and audit the procedures of suppliers.
  16. Suppliers providing periodic reports summarising the effectiveness of processes and procedures, and how issues will be tackled.
  17. Including measures to resolve any conflicts swiftly and thoroughly in the supplier agreement.
  18. Suppliers implementing a BUDR policy to meet organisational needs. This should address three areas: Backup type, Backup frequency, and Backup location and source media.
  19. Operating out of a disaster recovery facility separate from the main supplier ICT site, to ensure data resilience.
  20. Maintaining a comprehensive change management policy to allow organisations to reject any changes in advance.
  21. Implementing physical security controls based on what information they can access.
  22. Ensuring that data and assets are protected when transferred between sites, servers, storage locations, or assets.
  23. Each party taking an extensive set of actions in the event of termination, including disposing of assets, deleting information, returning IP, and removing access rights.
  24. Suppliers discussing how they intend to destroy organisational data when it is no longer needed.
  25. Taking steps to ensure there is no interruption to business operations when a contract ends and support must be transferred.

Changes from ISO 27001:2013

Control 5.20 is largely similar to its 2013 counterpart, 15.1.2. However, an amendment has been made, addressing a wide range of technical, compliance-related and legal issues.

These include information relating to the destruction of information, provisions for termination, the handover procedure, change management, information redundancy and backups, and controls for physical security.

Control 5.20 highlights steps for suppliers to achieve data integrity and redundancy throughout a contract.