ISO 27001 A.5.20 Addressing Information Security Within Supplier Agreements Checklist

A.5.20 Addressing Information Security Within Supplier Agreements is a crucial control under the ISO/IEC 27001:2022 standard. This control mandates that organisations ensure their suppliers adhere to stringent information security policies and controls to safeguard sensitive information throughout the supply chain.

Given the increasing complexity of supply chains and the evolving nature of cybersecurity threats, effectively implementing this control is essential for maintaining robust information security.

The primary objective of A.5.20 is to ensure that information security requirements are explicitly defined, effectively communicated, and rigorously enforced within supplier agreements. This not only protects the organisation’s information assets but also ensures that suppliers maintain high standards of information security.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.5.20? Key Aspects and Common Challenges

1. Supplier Selection and Evaluation

Risk Assessment

  • Objective: Identify and evaluate potential risks associated with suppliers.
  • Challenges: Accurately assessing risks, especially for suppliers with complex operations.

  • Solutions: Develop a comprehensive risk assessment framework that includes both qualitative and quantitative methods. Use third-party risk assessment tools for additional insights.
  • ISMS.online Features: Utilise the Risk Management module with Dynamic Risk Map and Risk Monitoring.
  • Compliance Checklist:

Conduct a comprehensive risk assessment for each supplier.

Document identified risks and mitigation strategies.

Review and update risk assessments periodically.

Criteria for Selection

  • Objective: Establish and apply criteria for selecting suppliers based on their information security capabilities.
  • Challenges: Ensuring criteria are comprehensive and aligned with security policies.

  • Solutions: Develop a standardised supplier evaluation checklist that aligns with the organisation’s security policies and requirements.
  • ISMS.online Features: Use the Supplier Management module to maintain supplier assessments and performance metrics.
  • Compliance Checklist:

Define and document criteria for supplier selection.

Evaluate suppliers based on the defined criteria.

Maintain records of supplier evaluations.

2. Contractual Obligations

Information Security Clauses

  • Objective: Include specific information security responsibilities in supplier contracts.
  • Challenges: Ensuring all contracts are updated and include relevant security clauses.

  • Solutions: Regularly review and update contract templates to include the latest security requirements. Use legal expertise to ensure enforceability.
  • ISMS.online Features: Use the Policy Management module with Policy Templates and Policy Pack.
  • Compliance Checklist:

Draft standard information security clauses for supplier contracts.

Include these clauses in all new supplier contracts.

Update existing contracts to incorporate information security clauses.

Compliance Requirements

  • Objective: Ensure suppliers comply with relevant laws, regulations, and standards.
  • Challenges: Keeping up with changing regulations and ensuring supplier compliance.

  • Solutions: Implement a regulatory monitoring system to stay updated on changes. Provide training sessions for suppliers on new compliance requirements.
  • ISMS.online Features: Utilise the Compliance Management module with Regs Database and Alert System.
  • Compliance Checklist:

Identify relevant laws, regulations, and standards for each supplier.

Communicate compliance requirements to suppliers.

Monitor supplier compliance with these requirements.

Right to Audit

  • Objective: Include audit rights in supplier contracts to ensure compliance with security measures.
  • Challenges: Gaining agreement from suppliers on audit rights and scheduling audits.

  • Solutions: Negotiate audit clauses at the beginning of the relationship. Schedule audits in advance and provide clear guidelines on the audit process.
  • ISMS.online Features: Use the Audit Management module to plan, execute, and document audits.
  • Compliance Checklist:

Include audit rights in supplier contracts.

Schedule regular audits of suppliers.

Document audit findings and follow-up actions.

3. Communication and Coordination

Information Exchange

  • Objective: Define secure methods for exchanging information between the organisation and suppliers.
  • Challenges: Ensuring secure communication channels and consistent protocols.

  • Solutions: Implement encryption and secure communication tools. Regularly update and test communication protocols.
  • ISMS.online Features: Utilise Communication tools such as Notification System and Collaboration Tools.
  • Compliance Checklist:

Establish secure communication channels with suppliers.

Define and document information exchange protocols.

Train relevant personnel on secure communication practices.

Incident Management

  • Objective: Establish procedures for reporting and managing information security incidents involving suppliers.
  • Challenges: Ensuring timely incident reporting and effective management coordination.

  • Solutions: Develop a detailed incident response plan that includes supplier coordination. Conduct regular incident response drills.
  • ISMS.online Features: Implement the Incident Management module with Incident Tracker and Workflow.
  • Compliance Checklist:

Define incident reporting and management procedures.

Communicate these procedures to suppliers.

Ensure timely reporting and coordination of incident management.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

4. Monitoring and Review

Regular Reviews

  • Objective: Conduct regular reviews and assessments of supplier compliance with information security requirements.
  • Challenges: Consistently conducting thorough reviews and managing resources for continuous monitoring.

  • Solutions: Establish a review schedule and use automated tools to streamline the review process. Allocate sufficient resources for regular monitoring.
  • ISMS.online Features: Use the Supplier Management module to schedule and track performance reviews.
  • Compliance Checklist:

Schedule regular compliance reviews for suppliers.

Document the outcomes of each review.

Implement follow-up actions based on review findings.

Performance Metrics

  • Objective: Implement performance metrics to monitor supplier adherence to contractual obligations.
  • Challenges: Defining appropriate metrics and ensuring accurate data collection.

  • Solutions: Develop key performance indicators (KPIs) that align with contractual obligations. Use data analytics to monitor and report on supplier performance.
  • ISMS.online Features: The Performance Tracking module with KPI Tracking and Trend Analysis.
  • Compliance Checklist:

Define performance metrics for supplier compliance.

Collect and analyse performance data regularly.

Use performance data to drive improvements in supplier management.

5. Training and Awareness

Supplier Training

  • Objective: Ensure suppliers receive adequate training on the organisation’s information security policies and procedures.
  • Challenges: Ensuring training is effective and reaches all relevant supplier personnel.

  • Solutions: Develop comprehensive training programmes tailored to supplier needs. Use e-learning platforms to facilitate training and track progress.
  • ISMS.online Features: Use the Training module with Training Modules and Training Tracking.
  • Compliance Checklist:

Develop training materials on information security policies.

Deliver training to supplier personnel.

Track training attendance and completion.

6. Termination of Agreement

Data Return and Deletion

  • Objective: Define procedures for the secure return or deletion of the organisation’s information upon termination of the supplier agreement.
  • Challenges: Ensuring complete and secure data return or deletion.

  • Solutions: Develop clear data return and deletion procedures and include them in the contract. Use verification processes to ensure compliance.
  • ISMS.online Features: The Document Management module with Version Control and Document Retention.
  • Compliance Checklist:

Define procedures for data return and deletion.

Communicate these procedures to suppliers.

Verify and document the secure return or deletion of data.

Exit Strategy

  • Objective: Develop an exit strategy to manage the transition of services to a new supplier or back in-house, maintaining information security throughout.
  • Challenges: Managing transitions smoothly without compromising information security.

  • Solutions: Create a detailed exit strategy that includes roles and responsibilities, timelines, and security measures. Conduct transition drills to test the strategy.
  • ISMS.online Features: Use the Business Continuity module with Continuity Plans.
  • Compliance Checklist:

Develop a comprehensive exit strategy.

Communicate the exit strategy to relevant stakeholders.

Implement the exit strategy and monitor its effectiveness.

Protect Your Organisation

By leveraging the comprehensive features of ISMS.online and addressing these common challenges, organisations can ensure robust compliance with A.5.20. This involves effectively managing information security within supplier agreements and safeguarding their information assets throughout the supply chain.

Implementing these practices not only ensures compliance with ISO 27001:2022 but also strengthens the overall security posture of the organisation, fostering a culture of continuous improvement and vigilance in information security management.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.5.20

Ready to enhance your organisation’s information security and ensure compliance with ISO 27001:2022?

Discover how ISMS.online can streamline your compliance efforts, manage supplier relationships, and protect your valuable information assets. Our comprehensive platform offers all the tools and features you need to effectively implement A.5.20 and other critical controls.

Contact us now to schedule a personalised demo and see how ISMS.online can transform your information security management. Our experts are here to guide you through every step, ensuring you get the most out of our solutions.


Jump to topic

Max Edwards

Max works as part of the ISMS.online marketing team and ensures that our website is updated with useful content and information about all things ISO 27001, 27002 and compliance.

ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Leader Winter 2025
Leader Winter 2025 United Kingdom
Best ROI Winter 2025
Fastest Implementation Winter 2025
Most Implementable Winter 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

Streamline your workflow with our new Jira integration! Learn more here.