ISO 27001:2022 Annex A Control 5.22

ISO 27001:2022 Annex A 5.22 General Guidance

According to ISO 27001:2022 Annex A Control 5.22, 13 key areas should be considered when managing supplier relationships and how these factors affect their own information security measures.

An organisation must ensure that employees responsible for managing service-level agreements and supplier relationships possess the requisite skills and technical resources. This is to ensure that they are able to evaluate supplier performance adequately and that information security standard is not breached.

An organisation’s policies and procedures should be drafted by:

1. Continuously monitor service levels in accordance with published service level agreements, and address any shortfalls as soon as they arise.
2. The supplier must be monitored for any changes to their own operation, including (but not limited to): (1) Service enhancements (2) New applications, systems or software processes (3) Relevant and meaningful revisions to the internal governance documents of the supplier, and (4) any changes to incident management procedures or attempts to improve the level of information security.
3. Any changes involving the service, including (but not limited to): a) Infrastructure changes b) Applications of emerging technologies c) Product updates and version upgrades d) Changes in the development environment e) Logistical and physical changes to supplier facilities, including new locations f) Changes to outsourcing partners or subcontractors g) Intentions to subcontract, where such a practice has not been practised previously.
4. Ensure that service reports are delivered regularly, that data is analysed, and that review meetings are conducted in accordance with agreed service levels.
5. Ensure that outsourcing partners and subcontractors are audited and address any areas of concern.
6. Conduct a review of security incidents based on the standard and practices agreed upon by the supplier and in accordance with the incident management standards.
7. Records should be maintained on all incidents of information security, tangible operational problems, fault logs, and general barriers to meeting the agreed-upon service delivery standards.
8. Take proactive action in response to incidents relating to information security.
9. Identify any vulnerabilities in information security and mitigate them to the fullest extent possible.
10. Perform an analysis of any relevant information security factors associated with the supplier’s relationship with its suppliers and subcontractors.
11. In the event of significant disruption on the supplier’s side, including a disaster recovery effort, ensure service delivery is delivered to acceptable levels.
12. Provide a list of the key personnel in the supplier’s operation responsible for maintaining compliance and adhering to the terms of the contract.
13. Make sure that a supplier maintains a baseline standard for information security regularly.

Supporting Annex A Controls

• ISO 27001:2022 Annex A 5.29
• ISO 27001:2022 Annex A 5.30
• ISO 27001:2022 Annex A 5.35
• ISO 27001:2022 Annex A 5.36
• ISO 27001:2022 Annex A 8.14

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

What Is the Benefit of Using ISMS.online to Manage Supplier Relationships?

This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed. This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view important supplier on boarding, joint initiatives, off boarding, etc.

In addition to assisting your organisation with this Annex A control objective, ISMS.online also provides you with the ability to provide evidence that the supplier has formally accepted the requirements and has understood its responsibilities for information security through our Policy Packs. As a result of their specific policies & controls, Policy Packs assure suppliers that their staff have read and committed to complying with the organisation’s policies & controls.

There may be a broader requirement to align with Annex A.5.8 Information security in project management, depending on the nature of the change (e.g. for more material changes).

Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining your ISMS scope to identifying risks and implementing controls.

ISMS.online offers the following benefits:

• The platform allows you to create an ISMS compliant with ISO 27001 requirements.
• Users can complete tasks and submit evidence to demonstrate compliance with the standard.
• The process of delegating responsibilities and monitoring compliance progress is easy.
• As a result of the comprehensive risk assessment tool set, the process is expedited and time-saving.
• A dedicated team of consultants can assist you throughout the compliance process.

Get in touch with us today to schedule a demo.