Control 5.20 governs how an organisation forms a contractual relationship with a supplier, based on their security requirements and the type of suppliers they deal with.
5.20 is a preventative control that maintains risk by establishing mutually agreeable obligations between organisations and their suppliers that deal with information security.
Whereas Control 5.19 governs with information security throughout the relationship, Control 5.20 is preoccupied with how organisations form binding agreements from the start of a relationship.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventative | #Confidentiality #Integrity #Availability | #Identify | #Supplier Relationships Security | #Governance and Ecosystem #Protection |
Ownership of Control 5.20 should be dependent on whether or not the organisation operates their own legal department, and the underlying nature of any signed agreement.
If the organisation has the legal capacity to draft, amend and store their own contractual agreements without third party involvement, ownership of 5.20 should rest with the person who holds ultimate responsibility for legally binding agreements within the organisation (contracts, memos of understanding, SLAs etc.)
If the organisation outsources such agreements, ownership of Control 5.20 should rest with a member of senior management that oversees an organisation’s commercial operation, and maintains a direct relationship with an organisation’s suppliers, such as a Chief Operating Officer.
Control 5.20 contains 25 guidance points that ISO state “can be considered” (i.e. not necessarily all of them) in order to fulfil an organisation’s information security requirements.
Regardless of what measures are adopted, Control 5.20 explicitly states that both parties should exit the process with a “clear understanding” of their information security obligations to one another.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
To aid organisations in managing supplier relationships, Control 5.20 states that organisations should maintain a register of agreements.
Registers should list all agreements held with other organisations, and categorised by the nature of the relationship, such as contracts, memorandums of understanding and information-sharing agreements.
ISO 27002:2022-5.20 replaces 27002:2013-15.1.2 (Addressing security within supplier agreements).
ISO 27002:2022-5.20 contains numerous additional guidance thats deal with a broad range of technical, legal and compliance-related topics, including:
Broadly speaking, ISO 27002:2022-5.20 puts a much greater emphasis on what occurs at the end of a supplier relationship, and allocates far more importance to how a supplier achieves redundancy and data integrity throughout the course of an agreement.
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |