ISO 27001:2022 Annex A 5.20 – Addressing Information Security Within Supplier Agreements

What Is The Purpose of ISO 27001:2022 Annex A 5.20?

ISO 27001 Annex A Control 5.20 governs how an organisation forms a contract with a supplier based on their requirements for security. This is based on the types of suppliers they work with.

As part of Annex A Control 5.20, organisations and their suppliers must agree upon mutually acceptable information security obligations to maintain risk.

Who Has Ownership of Annex A 5.20?

Annex Control 5.20 should be determined by whether the organisation operates its own legal department, as well as the nature of the agreement that has been signed.

Managing any changes to supply chain policies, procedures, and controls, including maintaining and improving existing information security policies, procedures, and controls, is considered effective control.

This is determined by considering the criticality of business information, the nature of the change, the type/s of suppliers affected, the systems and processes involved, and reassessing risk factors. Changing the services a supplier provides should also consider the relationship’s intimacy and the organisation’s ability to influence or control the change.

Ownership of 5.20 should rest with the individual responsible for legally binding agreements within the organisation (contracts, memos of understanding, service level agreements, etc.) if the organisation has the legal capacity to draft, amend, and store its contract agreements without the involvement of third parties.

A member of senior management in the organisation who oversees the commercial operations of the organisation and maintains direct relationships with its suppliers should take responsibility for Annex A Control 5.20 if the organisation outsources such agreements.

ISO 27001:2022 Annex A 5.20 General Guidance

Control 5.20 of Annex A contains 25 guidance points that ISO states are “possible to consider” (i.e. not necessarily all) for organisations to meet their information security requirements.

Annex A Control 5.20 specifies that regardless of measures adopted, both parties must emerge from the process with a “clear understanding” of each other’s information security obligations.

1. It is essential to provide a clear description of the information that needs to be accessed and how that information will be accessed.
2. Organisations should classify information by their published classification schemes (see Annex A Controls 5.10, 5.12, and 5.13).
3. Information classification on the supplier’s side should be considered along with how it relates to that on the organisation’s side.
4. Generally, both parties’ rights can be divided into four categories: legal, statutory, regulatory, and contractual. As is standard with commercial agreements, various obligations should be clearly outlined within these four areas, including access to personal information, intellectual property rights, and copyright provisions. The contract should also cover how these key areas will be addressed separately.
5. As part of the Annex A control system, each party should be required to implement concurrent measures designed to monitor, assess, and manage information security risks (such as access control policies, contractual reviews, monitoring, reporting, and periodic auditing). Furthermore, the agreement should clearly state that supplier personnel must comply with the organisation’s information security standards (see ISO 27001 Annex A Control 5.20).
6. Both parties must clearly understand what constitutes acceptable and unacceptable use of information, as well as physical and virtual assets.
7. To ensure that supplier-side personnel can access and view an organisation’s information, procedures should be put in place (e.g. supplier-side audits and server access controls).
8. In addition to considering the supplier’s ICT infrastructure, it is important to understand how that relates to the type of information the organisation will access. This is in addition to the organisation’s core set of business requirements.
9. If the supplier breaches the contract or fails to comply with individual terms, the organisation should consider what steps it can take.
10. Specifically, the agreement should describe a mutual incident management procedure that clarifies how problems should be handled when they arise. This includes how both parties should communicate when an incident occurs.
11. Both parties should provide adequate awareness training (where standard training is not sufficient) in key areas of the agreement, particularly in areas of risk such as Incident Management and Information Sharing.
12. The use of subcontractors should be adequately addressed. Organisations should ensure that, if the supplier is allowed to utilise subcontractors, any such individuals or companies adhere to the same information security standards as the supplier.
13. As far as it is legally and operationally possible, organisations should consider how supplier personnel are screened before interacting with their information. In addition, they should consider how screenings are recorded and reported to the organisation, including nonscreened personnel and areas of concern.
14. Third-party attestation, such as independent reports and third-party audits, should be required by organisations for suppliers that comply with their information security requirements.
15. ISO 27001:2022 Annex A Control 5.20 requires that organisations have the right to evaluate and audit their suppliers’ procedures.
16. A supplier should be required to provide periodic reports (at varying intervals) that summarise the effectiveness of their processes and procedures and how they intend to address any issues raised.
17. During the relationship, the agreement should include measures to ensure that any defects or conflicts are timely and thoroughly resolved.
18. An appropriate BUDR policy should be implemented by the supplier, tailored to meet the organisation’s needs, that addresses three key considerations: a) Backup type (full server, file and folder, incremental), b) Backup frequency (daily, weekly, etc.) C) Backup location and source media (onsite, offsite).
19. It is essential to ensure data resilience by operating out of a disaster recovery facility separate from the supplier’s main ICT site. This facility is not subject to the same level of risk as the main ICT site.
20. Suppliers should maintain a comprehensive change management policy that allows the organisation to reject any changes that might affect information security in advance.
21. Physical security controls should be implemented depending on what information they are permitted to access (building access, visitor access, room access, desk security).
22. Whenever data is transferred between assets, sites, servers, or storage locations, suppliers should ensure that the data and assets are protected against loss, damage, or corruption.
23. As part of the agreement, each party should be required to take an extensive list of actions in the event of termination (see Annex A Control 5.20). These actions include (but are not limited to): a) disposing of assets and/or relocation, b) deleting information, c) returning IP, d) removing access rights e) continuing confidentiality obligations.
24. In addition to point 23, the supplier should discuss in detail how it intends to destroy/permanently delete the organisation’s information when it is no longer needed (i.e. upon the termination of the contract).
25. Whenever a contract ends and the need arises to transfer support and/or services to another provider not listed on the contract, steps are taken to ensure no interruption to business operations.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.10
• ISO 27001:2022 Annex A 5.12
• ISO 27001:2022 Annex A 5.13
• ISO 27001:2022 Annex A 5.20

Supplementary Guidance on Annex A 5.20

Annex A Control 5.20 recommends that organisations maintain a register of agreements to assist them in managing their supplier relationships.

Records of all agreements held with other organisations should be kept, categorised by the nature of the relationship. This includes contracts, memoranda of understanding, and agreements relating to information sharing.

What Are the Changes From ISO 27001:2013?

An amendment to ISO 27001:2013 Annex A 15.1.2 (Addressing security within supplier agreements) has been made to ISO 27001:2022 Annex A Control 5.20.

Several additional guidelines are contained in Annex A Control 5.20 of ISO 27001:2022 that address a broad range of technical, legal, and compliance-related issues, including:

• The handover procedure.
• Destruction of information.
• Provisions for termination.
• Controls for physical security.
• Change management.
• Information redundancy and backups.

As a general rule, ISO 27001:2022 Annex A 5.20 emphasises how a supplier achieves redundancy and data integrity throughout a contract.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Are the Benefits of Using ISMS.online for Supplier Relationships?

A step-by-step checklist guides you through the entire ISO 27001 implementation process, from defining the scope of your ISMS to identifying risks and implementing controls.

Through ISMS.online’s easy-to-use Accounts relationships (e.g. supplier) area, you can ensure that your relationships are carefully selected, managed well in life and monitored and reviewed. ISMS.online’s collaborative project work spaces have easily met this control objective. These work spaces are useful for supplier on boarding, joint initiatives, off boarding, etc., which the auditor can also view easily when necessary.

We have also made this control objective easier for your organisation by enabling you to demonstrate that the supplier has formally committed to complying with the requirements. This is done through our Policy Packs. These policy packs are especially useful for organisations with specific policies and controls that they wish their suppliers to adhere to so that they can have confidence that their suppliers have read these policies and have committed to complying with them.

It may be necessary to align the change with A.6.1.5 Information security in project management depending on the nature of the change (e.g. for more substantial changes).

Book a demo today.