ISO 27001:2022 Annex A 5.22 – Monitoring and Review and Change Management of Supplier Services

What Is the Purpose of ISO 27001:2022 Annex A 5.22?

Annex A control 5.22 aims to ensure that an agreed level of information security and service delivery is maintained. This is in accordance with supplier contracts regarding supplier service development.

The Services of Suppliers Are Monitored and Reviewed

In Annex A 5.22, organisations are described as regularly monitoring, reviewing and auditing their supplier service delivery processes. Conducting reviews and monitoring is best done in accordance with the information at risk since one size does not fit all situations.

By conducting its reviews in accordance with the proposed segmentation of suppliers, the organisation can optimise their resources and ensure that their efforts are concentrated on monitoring and reviewing where the most significant impact can be achieved.

As with Annex A 5.19, pragmatism is sometimes necessary – small organisations will not necessarily receive an audit, a human resource review, or dedicated service improvements by using AWS. To ensure that they remain suitable for your purpose, you might check (for example) their annually published SOC II reports and security certifications.

Monitoring should be documented based on your power, risks and value, so your auditor can confirm that it has been completed. This is because any necessary changes have been managed through a formal change control procedure.

Managing Supplier Service Changes

Suppliers must maintain and improve existing information security policies, procedures, and controls to manage any changes to the provision of services by suppliers. The process considers the criticality of business information, the nature of the change, the supplier types affected, the processes and systems involved, and a reassessment of risks.

In making changes to suppliers’ services, it is also important to consider the intimacy of the relationship. This is as well as the organisation’s ability to influence or control a change within the supplier.

Control 5.22 specifies how organisations should monitor, review, and manage changes to a supplier’s security practices and service delivery standards. It also assesses how they impact the organisation’s own security practices.

In managing relationships with their suppliers, an organisation should strive to maintain a baseline level of information security that complies with any agreements they have signed.

In accordance with ISO 27001:2022, Annex A 5.22 is a preventative control designed to minimise risk by helping the supplier maintain an “agreed level of information security and service delivery.

Ownership of Annex A Control 5.22

A member of senior management who oversees an organisation’s commercial operations and maintains a direct relationship with the organisation’s suppliers should be responsible for Control 5.22.

ISO 27001:2022 Annex A 5.22 General Guidance

According to ISO 27001:2022 Annex A Control 5.22, 13 key areas should be considered when managing supplier relationships and how these factors affect their own information security measures.

An organisation must ensure that employees responsible for managing service-level agreements and supplier relationships possess the requisite skills and technical resources. This is to ensure that they are able to evaluate supplier performance adequately and that information security standard is not breached.

An organisation’s policies and procedures should be drafted by:

1. Continuously monitor service levels in accordance with published service level agreements, and address any shortfalls as soon as they arise.
2. The supplier must be monitored for any changes to their own operation, including (but not limited to): (1) Service enhancements (2) New applications, systems or software processes (3) Relevant and meaningful revisions to the internal governance documents of the supplier, and (4) any changes to incident management procedures or attempts to improve the level of information security.
3. Any changes involving the service, including (but not limited to): a) Infrastructure changes b) Applications of emerging technologies c) Product updates and version upgrades d) Changes in the development environment e) Logistical and physical changes to supplier facilities, including new locations f) Changes to outsourcing partners or subcontractors g) Intentions to subcontract, where such a practice has not been practised previously.
4. Ensure that service reports are delivered regularly, that data is analysed, and that review meetings are conducted in accordance with agreed service levels.
5. Ensure that outsourcing partners and subcontractors are audited and address any areas of concern.
6. Conduct a review of security incidents based on the standard and practices agreed upon by the supplier and in accordance with the incident management standards.
7. Records should be maintained on all incidents of information security, tangible operational problems, fault logs, and general barriers to meeting the agreed-upon service delivery standards.
8. Take proactive action in response to incidents relating to information security.
9. Identify any vulnerabilities in information security and mitigate them to the fullest extent possible.
10. Perform an analysis of any relevant information security factors associated with the supplier’s relationship with its suppliers and subcontractors.
11. In the event of significant disruption on the supplier’s side, including a disaster recovery effort, ensure service delivery is delivered to acceptable levels.
12. Provide a list of the key personnel in the supplier’s operation responsible for maintaining compliance and adhering to the terms of the contract.
13. Make sure that a supplier maintains a baseline standard for information security regularly.

Supporting Annex A Controls

• ISO 27001:2022 Annex A 5.29
• ISO 27001:2022 Annex A 5.30
• ISO 27001:2022 Annex A 5.35
• ISO 27001:2022 Annex A 5.36
• ISO 27001:2022 Annex A 8.14

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Is the Benefit of Using ISMS.online to Manage Supplier Relationships?

This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed. This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view important supplier on boarding, joint initiatives, off boarding, etc.

In addition to assisting your organisation with this Annex A control objective, ISMS.online also provides you with the ability to provide evidence that the supplier has formally accepted the requirements and has understood its responsibilities for information security through our Policy Packs. As a result of their specific policies & controls, Policy Packs assure suppliers that their staff have read and committed to complying with the organisation’s policies & controls.

There may be a broader requirement to align with Annex A.5.8 Information security in project management, depending on the nature of the change (e.g. for more material changes).

Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining your ISMS scope to identifying risks and implementing controls.

ISMS.online offers the following benefits:

• The platform allows you to create an ISMS compliant with ISO 27001 requirements.
• Users can complete tasks and submit evidence to demonstrate compliance with the standard.
• The process of delegating responsibilities and monitoring compliance progress is easy.
• As a result of the comprehensive risk assessment tool set, the process is expedited and time-saving.
• A dedicated team of consultants can assist you throughout the compliance process.

Get in touch with us today to schedule a demo.