ISO 27001:2022 Annex A Control 5.22

Monitoring and Review and Change Management of Supplier Services

Book a demo

top,view,business,people,work,from,home,using,laptop,on

What Is the Purpose of ISO 27001:2022 Annex A 5.22?

Annex A control 5.22 aims to ensure that an agreed level of information security and service delivery is maintained. This is in accordance with supplier contracts regarding supplier service development.

The Services of Suppliers Are Monitored and Reviewed

In Annex A 5.22, organisations are described as regularly monitoring, reviewing and auditing their supplier service delivery processes. Conducting reviews and monitoring is best done in accordance with the information at risk since one size does not fit all situations.

By conducting its reviews in accordance with the proposed segmentation of suppliers, the organisation can optimise their resources and ensure that their efforts are concentrated on monitoring and reviewing where the most significant impact can be achieved.

As with Annex A 5.19, pragmatism is sometimes necessary – small organisations will not necessarily receive an audit, a human resource review, or dedicated service improvements by using AWS. To ensure that they remain suitable for your purpose, you might check (for example) their annually published SOC II reports and security certifications.

Monitoring should be documented based on your power, risks and value, so your auditor can confirm that it has been completed. This is because any necessary changes have been managed through a formal change control procedure.

Managing Supplier Service Changes

Suppliers must maintain and improve existing information security policies, procedures, and controls to manage any changes to the provision of services by suppliers. The process considers the criticality of business information, the nature of the change, the supplier types affected, the processes and systems involved, and a reassessment of risks.

In making changes to suppliers’ services, it is also important to consider the intimacy of the relationship. This is as well as the organisation’s ability to influence or control a change within the supplier.

Control 5.22 specifies how organisations should monitor, review, and manage changes to a supplier’s security practices and service delivery standards. It also assesses how they impact the organisation’s own security practices.

In managing relationships with their suppliers, an organisation should strive to maintain a baseline level of information security that complies with any agreements they have signed.

In accordance with ISO 27001:2022, Annex A 5.22 is a preventative control designed to minimise risk by helping the supplier maintain an “agreed level of information security and service delivery.

Ownership of Annex A Control 5.22

A member of senior management who oversees an organisation’s commercial operations and maintains a direct relationship with the organisation’s suppliers should be responsible for Control 5.22.

ISO 27001:2022 Annex A 5.22 General Guidance

According to ISO 27001:2022 Annex A Control 5.22, 13 key areas should be considered when managing supplier relationships and how these factors affect their own information security measures.

An organisation must ensure that employees responsible for managing service-level agreements and supplier relationships possess the requisite skills and technical resources. This is to ensure that they are able to evaluate supplier performance adequately and that information security standard is not breached.

An organisation’s policies and procedures should be drafted by:

  1. Continuously monitor service levels in accordance with published service level agreements, and address any shortfalls as soon as they arise.
  2. The supplier must be monitored for any changes to their own operation, including (but not limited to): (1) Service enhancements (2) New applications, systems or software processes (3) Relevant and meaningful revisions to the internal governance documents of the supplier, and (4) any changes to incident management procedures or attempts to improve the level of information security.
  3. Any changes involving the service, including (but not limited to): a) Infrastructure changes b) Applications of emerging technologies c) Product updates and version upgrades d) Changes in the development environment e) Logistical and physical changes to supplier facilities, including new locations f) Changes to outsourcing partners or subcontractors g) Intentions to subcontract, where such a practice has not been practised previously.
  4. Ensure that service reports are delivered regularly, that data is analysed, and that review meetings are conducted in accordance with agreed service levels.
  5. Ensure that outsourcing partners and subcontractors are audited and address any areas of concern.
  6. Conduct a review of security incidents based on the standard and practices agreed upon by the supplier and in accordance with the incident management standards.
  7. Records should be maintained on all incidents of information security, tangible operational problems, fault logs, and general barriers to meeting the agreed-upon service delivery standards.
  8. Take proactive action in response to incidents relating to information security.
  9. Identify any vulnerabilities in information security and mitigate them to the fullest extent possible.
  10. Perform an analysis of any relevant information security factors associated with the supplier’s relationship with its suppliers and subcontractors.
  11. In the event of significant disruption on the supplier’s side, including a disaster recovery effort, ensure service delivery is delivered to acceptable levels.
  12. Provide a list of the key personnel in the supplier’s operation responsible for maintaining compliance and adhering to the terms of the contract.
  13. Make sure that a supplier maintains a baseline standard for information security regularly.

Supporting Annex A Controls

  • ISO 27001:2022 Annex A 5.29
  • ISO 27001:2022 Annex A 5.30
  • ISO 27001:2022 Annex A 5.35
  • ISO 27001:2022 Annex A 5.36
  • ISO 27001:2022 Annex A 8.14

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

What Is the Benefit of Using ISMS.online to Manage Supplier Relationships?

This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed. This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view important supplier on boarding, joint initiatives, off boarding, etc.

In addition to assisting your organisation with this Annex A control objective, ISMS.online also provides you with the ability to provide evidence that the supplier has formally accepted the requirements and has understood its responsibilities for information security through our Policy Packs. As a result of their specific policies & controls, Policy Packs assure suppliers that their staff have read and committed to complying with the organisation’s policies & controls.

There may be a broader requirement to align with Annex A.5.8 Information security in project management, depending on the nature of the change (e.g. for more material changes).

Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining your ISMS scope to identifying risks and implementing controls.

ISMS.online offers the following benefits:

  • The platform allows you to create an ISMS compliant with ISO 27001 requirements.
  • Users can complete tasks and submit evidence to demonstrate compliance with the standard.
  • The process of delegating responsibilities and monitoring compliance progress is easy.
  • As a result of the comprehensive risk assessment tool set, the process is expedited and time-saving.
  • A dedicated team of consultants can assist you throughout the compliance process.

Get in touch with us today to schedule a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.