ISO 27001:2022 Annex A Control 5.21

Managing Information Security in the ICT Supply Chain

Book a demo

the,woman,works,at,home,and,uses,a,smart,phone

What Is the Purpose of ISO 27001:2022 Annex A 5.21?

In Annex A Control 5.21, organisations must implement robust processes and procedures before supplying any products or services to manage information security risks.

Control 5.21 in Annex A is a preventative control that maintains the risk within the ICT supply chain by establishing an “agreed level of security” between the parties.

Annex A 5.21 of ISO 27001 is aimed at ICT suppliers who may need something in addition to or instead of the standard approach. Although ISO 27001 recommends numerous areas for implementation, pragmatism is also required. Considering the organisation’s size compared to some of the very large companies it will occasionally be working with (e.g. data centres, hosting services, banks, etc.), it may need to have the ability to influence practices further down the supply chain.

Depending on the information and communication technology services being provided, the organisation should carefully assess the risks that may arise. In the case of an infrastructure-critical service provider, for example, it is important to ensure greater protection than if the supplier only has access to publicly available information (e.g. source code for the flagship software service) if the supplier provides infrastructure-critical services.

Ownership of Annex A Control 5.21

In Annex A Control 5.21, the focus is on the provision of information and communication technology services by a supplier or group of suppliers.

Therefore, the person responsible for acquiring, managing, and renewing ICT supplier relationships across all business functions, such as the Chief Technical Officer or Head of Information Technology, should have ownership of this process.

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

ISO 27001:2022 Annex A 5.21 – General Guidelines

The ISO 27001 standard specifies 13 ICT-related guidance points that should be considered alongside any other Annex A controls that govern an organisation’s relationship with its suppliers.

Over the past decade, cross-platform on-premise and cloud services have become increasingly popular. ISO 27001:2022 Annex A Control 5.21 deals with the supply of hardware and software-related components and services (both on-premise and cloud-based) but rarely differentiate between the two.

Several Annex A controls address the relationship between the supplier and the organisation and the supplier’s obligations when subcontracting parts of the supply chain to third parties.

  1. Organisations should draft a comprehensive set of information security standards tailored to their specific needs to set clear expectations regarding how suppliers should conduct themselves in providing ICT products and services.
  2. ICT suppliers are responsible for ensuring that contractors and their personnel are fully conversant with the organisation’s unique information security standards. This is true if they subcontract any element of the supply chain.
  3. The supplier must communicate the organisation’s security requirements to any vendors or suppliers they use when the need arises to acquire components (physical or virtual) from third parties.
  4. An organisation should request information from suppliers regarding the software components’ nature and function.
  5. The organisation should identify and operate any product or service provided in a manner that does not compromise information security.
  6. Risk levels should not be taken for granted by organisations. Instead, organisations should draft procedures that ensure that any products or services delivered by suppliers are secure and comply with industry standards. Several methods may be employed to ensure compliance, including certification checks, internal testing, and supporting documentation.
  7. As part of receiving a product or service, organisations should identify and record any elements deemed essential to maintaining core functionality – particularly if those components were derived from subcontractors or outsourced agreements.
  8. Suppliers should have concrete assurances that “critical components” are tracked throughout the ICT supply chain from creation to delivery as part of an audit log.
  9. Organisations should seek categorical assurance before delivering ICT products and services. This is to ensure that they operate within the scope and do not contain any additional features that may pose a collateral security risk.
  10. Component specifications are crucial to ensure that an organisation understands the hardware and software components it is introducing to its network. Organisations should require stipulations confirming that components are legitimate upon delivery, and suppliers should consider anti-tampering measures throughout the development life cycle.
  11. It is critical to obtain assurances regarding the compliance of ICT products with industry-standard and sector-specific security requirements according to the specific product requirements. It is common for companies to achieve this by obtaining a minimum level of formal security certification or adhering to a set of internationally recognised information standards (for example, the Common Criteria Recognition Arrangement).
  12. Sharing information and data regarding mutual supply chain operations requires organisations to ensure that suppliers know their obligations. In this regard, organisations should acknowledge potential conflicts or problems between the parties. They should also know how to resolve them at the beginning of the process. Age of the process.
  13. The organisation must develop procedures to manage risk when operating with unsupported, unsupported, or legacy components, wherever they are located. In these situations, the organisation should be able to adapt and identify alternatives accordingly.

Annex A 5.21 Supplementary Guidance

Per Annex A Control 5.21, ICT supply chain governance should be considered in collaboration. It is intended to complement existing supply chain management procedures and to provide context for ICT-specific products and services.

The ISO 27001:2022 standard acknowledges that quality control within the ICT sector does not include granular inspection of a supplier’s compliance procedures, particularly regarding software components.

It is therefore recommended that organisations identify supplier-specific checks that are used to verify that the supplier is a “reputable source” and that they draft agreements that state in detail the supplier’s responsibilities for information security when fulfilling a contract, order or providing a service.

What Are the Changes From ISO 27001:2013?

ISO 27001:2022 Annex A Control 5.21 replaces ISO 27001:2013 Annex A Control 15.1.3 (Supply chain for information and communication technology).

In addition to adhering to the same general guidance rules as ISO 27001:2013 Annex A 15.1.3, ISO 27001:2022 Annex A 5.21 places a great deal of emphasis on the supplier’s obligation to provide and verify component-related information at the point of supply, including:

  • Suppliers of information technology components.
  • Provide an overview of a product’s security features and how to use it from a security perspective.
  • Assurances regarding the level of security required.

According to ISO 27001:2022 Annex A 5.21, the organisation is also required to create additional component-specific information when introducing products and services, such as:

  • Identifying and documenting key components of a product or service that contribute to its core functionality.
  • Assuring the authenticity and integrity of components.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

What Is the Benefit of ISMS.online When It Comes to Supplier Relationships?

This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed.

This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view key supplier on boarding, joint initiatives, off boarding, etc.

Additionally, ISMS.online has made it easier for your organisation to achieve this Annex A control objective by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood the supplier’s responsibilities regarding information security with our Policy Packs.

In addition to the broader agreements between a customer and supplier, Policy Packs are ideal for organisations with specific policies & Annex A controls they wish supplier staff to adhere to, ensuring that they have read their policies and committed to following them.

The Cloud-Based Platform We Offer Additionally Provides the Following Features

  • A document management system that is easy to use and can be customised.
  • You will have access to a library of polished, pre-written documentation templates.
  • The process for conducting internal audits has been simplified.
  • A method of communicating with management and stakeholders that is efficient.
  • A workflow module is provided to facilitate the implementation process.

To schedule a demo, don’t hesitate to get in touch with us today.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Streamline your workflow with our new Jira integration! Learn more here.