ISO 27001:2022 Annex A Control 5.20

Addressing Information Security Within Supplier Agreements

Book a demo

young,business,colleagues,working,in,a,busy,open,plan,office

What Is The Purpose of ISO 27001:2022 Annex A 5.20?

ISO 27001 Annex A Control 5.20 governs how an organisation forms a contract with a supplier based on their requirements for security. This is based on the types of suppliers they work with.

As part of Annex A Control 5.20, organisations and their suppliers must agree upon mutually acceptable information security obligations to maintain risk.

Who Has Ownership of Annex A 5.20?

Annex Control 5.20 should be determined by whether the organisation operates its own legal department, as well as the nature of the agreement that has been signed.

Managing any changes to supply chain policies, procedures, and controls, including maintaining and improving existing information security policies, procedures, and controls, is considered effective control.

This is determined by considering the criticality of business information, the nature of the change, the type/s of suppliers affected, the systems and processes involved, and reassessing risk factors. Changing the services a supplier provides should also consider the relationship’s intimacy and the organisation’s ability to influence or control the change.

Ownership of 5.20 should rest with the individual responsible for legally binding agreements within the organisation (contracts, memos of understanding, service level agreements, etc.) if the organisation has the legal capacity to draft, amend, and store its contract agreements without the involvement of third parties.

A member of senior management in the organisation who oversees the commercial operations of the organisation and maintains direct relationships with its suppliers should take responsibility for Annex A Control 5.20 if the organisation outsources such agreements.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

ISO 27001:2022 Annex A 5.20 General Guidance

Control 5.20 of Annex A contains 25 guidance points that ISO states are “possible to consider” (i.e. not necessarily all) for organisations to meet their information security requirements.

Annex A Control 5.20 specifies that regardless of measures adopted, both parties must emerge from the process with a “clear understanding” of each other’s information security obligations.

  1. It is essential to provide a clear description of the information that needs to be accessed and how that information will be accessed.
  2. Organisations should classify information by their published classification schemes (see Annex A Controls 5.10, 5.12, and 5.13).
  3. Information classification on the supplier’s side should be considered along with how it relates to that on the organisation’s side.
  4. Generally, both parties’ rights can be divided into four categories: legal, statutory, regulatory, and contractual. As is standard with commercial agreements, various obligations should be clearly outlined within these four areas, including access to personal information, intellectual property rights, and copyright provisions. The contract should also cover how these key areas will be addressed separately.
  5. As part of the Annex A control system, each party should be required to implement concurrent measures designed to monitor, assess, and manage information security risks (such as access control policies, contractual reviews, monitoring, reporting, and periodic auditing). Furthermore, the agreement should clearly state that supplier personnel must comply with the organisation’s information security standards (see ISO 27001 Annex A Control 5.20).
  6. Both parties must clearly understand what constitutes acceptable and unacceptable use of information, as well as physical and virtual assets.
  7. To ensure that supplier-side personnel can access and view an organisation’s information, procedures should be put in place (e.g. supplier-side audits and server access controls).
  8. In addition to considering the supplier’s ICT infrastructure, it is important to understand how that relates to the type of information the organisation will access. This is in addition to the organisation’s core set of business requirements.
  9. If the supplier breaches the contract or fails to comply with individual terms, the organisation should consider what steps it can take.
  10. Specifically, the agreement should describe a mutual incident management procedure that clarifies how problems should be handled when they arise. This includes how both parties should communicate when an incident occurs.
  11. Both parties should provide adequate awareness training (where standard training is not sufficient) in key areas of the agreement, particularly in areas of risk such as Incident Management and Information Sharing.
  12. The use of subcontractors should be adequately addressed. Organisations should ensure that, if the supplier is allowed to utilise subcontractors, any such individuals or companies adhere to the same information security standards as the supplier.
  13. As far as it is legally and operationally possible, organisations should consider how supplier personnel are screened before interacting with their information. In addition, they should consider how screenings are recorded and reported to the organisation, including nonscreened personnel and areas of concern.
  14. Third-party attestation, such as independent reports and third-party audits, should be required by organisations for suppliers that comply with their information security requirements.
  15. ISO 27001:2022 Annex A Control 5.20 requires that organisations have the right to evaluate and audit their suppliers’ procedures.
  16. A supplier should be required to provide periodic reports (at varying intervals) that summarise the effectiveness of their processes and procedures and how they intend to address any issues raised.
  17. During the relationship, the agreement should include measures to ensure that any defects or conflicts are timely and thoroughly resolved.
  18. An appropriate BUDR policy should be implemented by the supplier, tailored to meet the organisation’s needs, that addresses three key considerations: a) Backup type (full server, file and folder, incremental), b) Backup frequency (daily, weekly, etc.) C) Backup location and source media (onsite, offsite).
  19. It is essential to ensure data resilience by operating out of a disaster recovery facility separate from the supplier’s main ICT site. This facility is not subject to the same level of risk as the main ICT site.
  20. Suppliers should maintain a comprehensive change management policy that allows the organisation to reject any changes that might affect information security in advance.
  21. Physical security controls should be implemented depending on what information they are permitted to access (building access, visitor access, room access, desk security).
  22. Whenever data is transferred between assets, sites, servers, or storage locations, suppliers should ensure that the data and assets are protected against loss, damage, or corruption.
  23. As part of the agreement, each party should be required to take an extensive list of actions in the event of termination (see Annex A Control 5.20). These actions include (but are not limited to): a) disposing of assets and/or relocation, b) deleting information, c) returning IP, d) removing access rights e) continuing confidentiality obligations.
  24. In addition to point 23, the supplier should discuss in detail how it intends to destroy/permanently delete the organisation’s information when it is no longer needed (i.e. upon the termination of the contract).
  25. Whenever a contract ends and the need arises to transfer support and/or services to another provider not listed on the contract, steps are taken to ensure no interruption to business operations.

Accompanying Annex A Controls

  • ISO 27001:2022 Annex A 5.10
  • ISO 27001:2022 Annex A 5.12
  • ISO 27001:2022 Annex A 5.13
  • ISO 27001:2022 Annex A 5.20

Supplementary Guidance on Annex A 5.20

Annex A Control 5.20 recommends that organisations maintain a register of agreements to assist them in managing their supplier relationships.

Records of all agreements held with other organisations should be kept, categorised by the nature of the relationship. This includes contracts, memoranda of understanding, and agreements relating to information sharing.

What Are the Changes From ISO 27001:2013?

An amendment to ISO 27001:2013 Annex A 15.1.2 (Addressing security within supplier agreements) has been made to ISO 27001:2022 Annex A Control 5.20.

Several additional guidelines are contained in Annex A Control 5.20 of ISO 27001:2022 that address a broad range of technical, legal, and compliance-related issues, including:

  • The handover procedure.
  • Destruction of information.
  • Provisions for termination.
  • Controls for physical security.
  • Change management.
  • Information redundancy and backups.

As a general rule, ISO 27001:2022 Annex A 5.20 emphasises how a supplier achieves redundancy and data integrity throughout a contract.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

What Are the Benefits of Using ISMS.online for Supplier Relationships?

A step-by-step checklist guides you through the entire ISO 27001 implementation process, from defining the scope of your ISMS to identifying risks and implementing controls.

Through ISMS.online’s easy-to-use Accounts relationships (e.g. supplier) area, you can ensure that your relationships are carefully selected, managed well in life and monitored and reviewed. ISMS.online’s collaborative project work spaces have easily met this control objective. These work spaces are useful for supplier on boarding, joint initiatives, off boarding, etc., which the auditor can also view easily when necessary.

We have also made this control objective easier for your organisation by enabling you to demonstrate that the supplier has formally committed to complying with the requirements. This is done through our Policy Packs. These policy packs are especially useful for organisations with specific policies and controls that they wish their suppliers to adhere to so that they can have confidence that their suppliers have read these policies and have committed to complying with them.

It may be necessary to align the change with A.6.1.5 Information security in project management depending on the nature of the change (e.g. for more substantial changes).

Book a demo today.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.