ISO 27001:2022 Annex A 5.21 – Managing Information Security in the ICT Supply Chain

What Is the Purpose of ISO 27001:2022 Annex A 5.21?

In Annex A Control 5.21, organisations must implement robust processes and procedures before supplying any products or services to manage information security risks.

Control 5.21 in Annex A is a preventative control that maintains the risk within the ICT supply chain by establishing an “agreed level of security” between the parties.

Annex A 5.21 of ISO 27001 is aimed at ICT suppliers who may need something in addition to or instead of the standard approach. Although ISO 27001 recommends numerous areas for implementation, pragmatism is also required. Considering the organisation’s size compared to some of the very large companies it will occasionally be working with (e.g. data centres, hosting services, banks, etc.), it may need to have the ability to influence practices further down the supply chain.

Depending on the information and communication technology services being provided, the organisation should carefully assess the risks that may arise. In the case of an infrastructure-critical service provider, for example, it is important to ensure greater protection than if the supplier only has access to publicly available information (e.g. source code for the flagship software service) if the supplier provides infrastructure-critical services.

Ownership of Annex A Control 5.21

In Annex A Control 5.21, the focus is on the provision of information and communication technology services by a supplier or group of suppliers.

Therefore, the person responsible for acquiring, managing, and renewing ICT supplier relationships across all business functions, such as the Chief Technical Officer or Head of Information Technology, should have ownership of this process.

ISO 27001:2022 Annex A 5.21 – General Guidelines

The ISO 27001 standard specifies 13 ICT-related guidance points that should be considered alongside any other Annex A controls that govern an organisation’s relationship with its suppliers.

Over the past decade, cross-platform on-premise and cloud services have become increasingly popular. ISO 27001:2022 Annex A Control 5.21 deals with the supply of hardware and software-related components and services (both on-premise and cloud-based) but rarely differentiate between the two.

Several Annex A controls address the relationship between the supplier and the organisation and the supplier’s obligations when subcontracting parts of the supply chain to third parties.

1. Organisations should draft a comprehensive set of information security standards tailored to their specific needs to set clear expectations regarding how suppliers should conduct themselves in providing ICT products and services.
2. ICT suppliers are responsible for ensuring that contractors and their personnel are fully conversant with the organisation’s unique information security standards. This is true if they subcontract any element of the supply chain.
3. The supplier must communicate the organisation’s security requirements to any vendors or suppliers they use when the need arises to acquire components (physical or virtual) from third parties.
4. An organisation should request information from suppliers regarding the software components’ nature and function.
5. The organisation should identify and operate any product or service provided in a manner that does not compromise information security.
6. Risk levels should not be taken for granted by organisations. Instead, organisations should draft procedures that ensure that any products or services delivered by suppliers are secure and comply with industry standards. Several methods may be employed to ensure compliance, including certification checks, internal testing, and supporting documentation.
7. As part of receiving a product or service, organisations should identify and record any elements deemed essential to maintaining core functionality – particularly if those components were derived from subcontractors or outsourced agreements.
8. Suppliers should have concrete assurances that “critical components” are tracked throughout the ICT supply chain from creation to delivery as part of an audit log.
9. Organisations should seek categorical assurance before delivering ICT products and services. This is to ensure that they operate within the scope and do not contain any additional features that may pose a collateral security risk.
10. Component specifications are crucial to ensure that an organisation understands the hardware and software components it is introducing to its network. Organisations should require stipulations confirming that components are legitimate upon delivery, and suppliers should consider anti-tampering measures throughout the development life cycle.
11. It is critical to obtain assurances regarding the compliance of ICT products with industry-standard and sector-specific security requirements according to the specific product requirements. It is common for companies to achieve this by obtaining a minimum level of formal security certification or adhering to a set of internationally recognised information standards (for example, the Common Criteria Recognition Arrangement).
12. Sharing information and data regarding mutual supply chain operations requires organisations to ensure that suppliers know their obligations. In this regard, organisations should acknowledge potential conflicts or problems between the parties. They should also know how to resolve them at the beginning of the process. Age of the process.
13. The organisation must develop procedures to manage risk when operating with unsupported, unsupported, or legacy components, wherever they are located. In these situations, the organisation should be able to adapt and identify alternatives accordingly.

Annex A 5.21 Supplementary Guidance

Per Annex A Control 5.21, ICT supply chain governance should be considered in collaboration. It is intended to complement existing supply chain management procedures and to provide context for ICT-specific products and services.

The ISO 27001:2022 standard acknowledges that quality control within the ICT sector does not include granular inspection of a supplier’s compliance procedures, particularly regarding software components.

It is therefore recommended that organisations identify supplier-specific checks that are used to verify that the supplier is a “reputable source” and that they draft agreements that state in detail the supplier’s responsibilities for information security when fulfilling a contract, order or providing a service.

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A Control 5.21 replaces ISO 27001:2013 Annex A Control 15.1.3 (Supply chain for information and communication technology).

In addition to adhering to the same general guidance rules as ISO 27001:2013 Annex A 15.1.3, ISO 27001:2022 Annex A 5.21 places a great deal of emphasis on the supplier’s obligation to provide and verify component-related information at the point of supply, including:

• Suppliers of information technology components.
• Provide an overview of a product’s security features and how to use it from a security perspective.
• Assurances regarding the level of security required.

According to ISO 27001:2022 Annex A 5.21, the organisation is also required to create additional component-specific information when introducing products and services, such as:

• Identifying and documenting key components of a product or service that contribute to its core functionality.
• Assuring the authenticity and integrity of components.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Is the Benefit of ISMS.online When It Comes to Supplier Relationships?

This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed.

This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view key supplier on boarding, joint initiatives, off boarding, etc.

Additionally, ISMS.online has made it easier for your organisation to achieve this Annex A control objective by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood the supplier’s responsibilities regarding information security with our Policy Packs.

In addition to the broader agreements between a customer and supplier, Policy Packs are ideal for organisations with specific policies & Annex A controls they wish supplier staff to adhere to, ensuring that they have read their policies and committed to following them.

The Cloud-Based Platform We Offer Additionally Provides the Following Features

• A document management system that is easy to use and can be customised.
• You will have access to a library of polished, pre-written documentation templates.
• The process for conducting internal audits has been simplified.
• A method of communicating with management and stakeholders that is efficient.
• A workflow module is provided to facilitate the implementation process.

To schedule a demo, don’t hesitate to get in touch with us today.