Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.22

Monitoring, review and change management of supplier services

Annex A control 5.22 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 15.2.1 and ISO 27001:2013 Annex A 15.2.2

To assert data protection in supplier relationships, there must be an agreed level of access and information security. Annex 5.22 aims to ensure that this agreed level is maintained throughout supplier service delivery, in accordance with supplier contracts.

Regularly monitoring reviewing, and auditing supplier service delivery processes is advised by control 5.22, with reviews undertaken in accordance with the information at risk. It does not promote a “one-size-fits-all” approach to supplier contracts.

Organisations are encouraged to optimise resources and ensure their efforts are concentrated on monitoring and reviewing where the most significant impact can be achieved. To do this, control 5.22 suggests conducting reviews in accordance with supplier segmentation.

Changes to supplier services, and how to manage them

Under control 5.22, suppliers have an obligation to maintain and improve IS policies, procedures, and controls, managing any changes to the provision of services. Factors like the nature of the change, the sensitivity of business data, and the processes involved should all be taken into account.

The intimacy of relationships should also be considered when making changes to supplier services. Similarly, the organisation’s ability to request or influence changes by the supplier should be taken into account. Control 5.22 takes a preventative approach to data protection, designed to minimise risk by helping suppliers maintain an agreed level of information security.

Supplier relationships

Control 5.22 outlines a framework for organisations to monitor, review, and manage changes to a supplier’s security practices and service delivery, assessing how they impact the organisation’s own security practices. Organisations should strive to maintain a baseline information security level that complies with any signed agreements.

Responsibility for control 5.22 should lie with a moment of senior management who oversees the organisation’s commercial operations, maintaining a relationship with suppliers throughout supplier contracts.

Key guidelines in control 5.22

Organisations are responsible for ensuring those tasked with managing supplier relationships possess the skills and technical resources necessary. This ensures they can evaluate supplier performance adequately without breaching IS standards.

Control 5.22 outlines a total of 13 areas that must be considered when managing supplier relationships. These guidelines are:

  1. Continuously monitoring service levels in accordance with service level agreements, addressing any shortfalls if and when they occur.
  2. Suppliers monitoring any changes to their operations, including service enhancements, new applications, relevant and meaningful governance document revisions and changes to incident management procedures.
  3. Monitoring changes to the service, including infrastructure changes, new tech, product updates, development environment changes, supplier facility changes, and outsourcing and subcontractors.
  4. Ensuring service reports are regularly delivered and that data is analysed in accordance with agreed service levels.
  5. Ensuring outsourcing partners and subcontractors are audited.
  6. Conducting reviews of security incidents based on agreed upon standards.
  7. Maintaining records on all IS incidents, tangible operational problems, and fault logs.
  8. Taking proactive action to any information security incidents.
  9. Identifying information security vulnerabilities and mitigating them as much as possible.
  10. Analysing relevant information security factors associated with supplier relationships.
  11. Ensuring services are delivered in the event of supplier disruption, including a disaster recovery effort.
  12. Providing a list of key supplier personnel for maintaining compliance and adhering to the terms of the contract.
  13. Making sure suppliers maintain a regular baseline standard for information security.