ISO 27001:2022 Annex A Control 5.20 Addressing Information Security Within Supplier Agreements
Tips & Tricks

ISO 27001:2022 Annex A Control 5.20 Addressing Information Security Within Supplier Agreements

In this post, we’ll explain Annex A Control 5.20, its purpose, and how to implement it effectively to manage security risks in supplier relationships.

Written By:

Craig Pepper

ISO 27001:2022 Annex A Control 5.20 – Addressing Information Security in Supplier Agreements

As businesses increasingly rely on external suppliers for critical services, ensuring that these third parties adhere to robust information security standards is vital. ISO 27001:2022 Annex A Control 5.20 focuses on addressing information security within supplier agreements, ensuring that suppliers meet your organisation’s security requirements and protect your data and systems throughout the relationship.

What Is ISO 27001:2022 Annex A Control 5.20?

Annex A Control 5.20 governs how organisations should form contracts with suppliers, ensuring that information security obligations are explicitly outlined and agreed upon by both parties. This control ensures that the supplier and the organisation are aligned on security requirements, reducing the risk of security breaches, data loss, or non-compliance.

The control requires organisations to define security expectations clearly, including how sensitive data will be accessed, protected, and handled by suppliers. It also emphasises ongoing monitoring and regular updates to these agreements to reflect any changes in the relationship.

Purpose of ISO 27001:2022 Annex A Control 5.20

The main goal of Annex A Control 5.20 is to ensure that security standards are integrated into supplier agreements, preventing potential security risks from third-party relationships. This control helps manage the risks associated with suppliers accessing or handling sensitive data, IT infrastructure, or other valuable assets.

It ensures that both the organisation and the supplier have a mutual understanding of security obligations, preventing gaps that could lead to vulnerabilities or non-compliance with regulations.

Ownership of Annex A Control 5.20

Responsibility for Annex A Control 5.20 typically falls on those overseeing legal and contractual agreements within the organisation. If the organisation has an internal legal department, this team will usually handle drafting, amending, and storing contracts. Otherwise, a senior manager responsible for supplier relationships and commercial operations (such as a COO or procurement officer) will manage these agreements and ensure compliance with security requirements.

How to Implement ISO 27001:2022 Annex A Control 5.20

To effectively implement Annex A Control 5.20, organisations should ensure that supplier agreements include clear and comprehensive information security clauses. Here are the key steps to follow:

  1. Clearly Define Security Requirements:Ensure the agreement includes a clear description of the information that suppliers will access, how it will be accessed, and what security measures must be in place. Both parties should classify the information according to their classification schemes (see Annex A Controls 5.10, 5.12, and 5.13).
  2. Outline Legal, Regulatory, and Contractual Obligations:The contract should clearly cover areas such as legal, statutory, regulatory, and contractual obligations, including access to personal data, intellectual property rights, and copyright issues.
  3. Establish Incident Management Procedures:Both parties must agree on incident management procedures. This should detail how incidents will be reported, how they will be resolved, and what actions will be taken to minimise damage.
  4. Monitor and Audit Supplier Compliance:Implement a system for monitoring, assessing, and auditing the supplier’s information security practices. The agreement should allow for periodic audits and the submission of reports summarising the effectiveness of the supplier’s security measures.
  5. Address Subcontractor Involvement:If the supplier intends to use subcontractors, ensure that these third parties also adhere to the same information security standards as the supplier. This should be outlined clearly in the agreement to prevent security gaps in the supply chain.
  6. Ensure Data Backup and Redundancy:Require the supplier to maintain a backup and disaster recovery policy (BUDR). This policy should cover backup types (full, incremental), frequency (daily, weekly), and locations (on-site, off-site). The agreement should also detail how data resilience will be ensured, particularly if the supplier's main ICT site is compromised.
  7. Define Physical Security Controls:Depending on the type of data or systems the supplier has access to, the agreement should specify physical security controls. This may include building access, room security, and visitor management protocols.
  8. Plan for Secure Data Transfer and Asset Protection:The agreement should describe how data and assets will be securely transferred between sites or systems, ensuring protection against loss, damage, or corruption.
  9. Manage Termination of Supplier Agreements:When the contract ends, ensure that the agreement specifies how access rights will be revoked, how information will be returned or securely destroyed, and how business continuity will be maintained. This prevents data leaks or operational disruptions after the relationship ends.
  10. Audit Rights and Change Management:Organisations should retain the right to audit supplier security practices and approve or reject changes to supplier processes that may affect information security.

Supplementary Guidance on ISO 27001:2022 Annex A Control 5.20

Annex A Control 5.20 recommends maintaining a register of agreements to help manage supplier relationships. This should include contracts, memoranda of understanding, and any other information-sharing agreements. These records allow organisations to track compliance with security requirements and manage supplier performance effectively.

Additionally, organisations should ensure that any agreements with suppliers are periodically reviewed and updated to reflect changes in security requirements, technology, or regulations.

Key Areas to Include in Supplier Agreements

To comply with ISO 27001:2022 Annex A Control 5.20, supplier agreements should address the following key areas:

  1. Information Classification and Access:
    • Clearly describe the information to be accessed and how it will be classified and protected.
    • Include information on both parties' classification systems and ensure they are aligned.
  2. Risk Management and Monitoring:
    • Outline the procedures for managing and mitigating information security risks.
    • Include provisions for monitoring, auditing, and reporting on security practices.
  3. Incident Response:
    • Specify how incidents will be managed and communicated between both parties.
    • Ensure that both parties understand the process for reporting security breaches and taking corrective action.
  4. Subcontractor Management:
    • Require subcontractors to follow the same security standards as the supplier.
    • Specify how subcontractor compliance will be monitored and enforced.
  5. Termination and Exit Strategy:
    • Detail the steps to be taken when the agreement ends, including the revocation of access rights, data destruction, and the transfer of responsibilities to new suppliers (if applicable).
  6. Legal and Regulatory Compliance:
    • Ensure the agreement addresses all relevant legal, regulatory, and contractual requirements, including data privacy laws (e.g., GDPR) and intellectual property rights.
  7. Change Management:
    • Establish clear policies for managing changes to supplier processes or systems that could affect information security. This includes changes in personnel, technology, or infrastructure.

Changes from ISO 27001:2013

ISO 27001:2022 Annex A Control 5.20 replaces ISO 27001:2013 Annex A Control 15.1.2 (Addressing Security Within Supplier Agreements). The updated version contains several new guidelines that broaden the scope of supplier agreements:

  1. Comprehensive Handover and Termination Procedures:The new control adds more detailed requirements for managing supplier relationships at the end of the contract, including handover procedures, data destruction, and termination provisions.
  2. Physical Security Controls:The 2022 version explicitly includes physical security requirements as part of supplier agreements, ensuring that data accessed or stored physically is properly protected.
  3. Backup and Disaster Recovery Requirements:The updated control includes detailed requirements for data backups and disaster recovery planning, ensuring data integrity and availability are maintained in case of supplier failure.
  4. Change Management:Change management procedures have been expanded in the 2022 version, requiring suppliers to notify the organisation of any changes that could impact information security, allowing the organisation to approve or reject changes in advance.

Best Practices for Implementing Annex A Control 5.20

To effectively manage information security in supplier agreements, organisations should follow these best practices:

  • Ensure Clarity in Contracts: Make sure all security expectations, responsibilities, and processes are clearly defined in the agreement. This includes how security breaches will be managed and how data will be protected.
  • Regularly Review and Update Agreements: Periodically audit and review supplier agreements to ensure they remain relevant to your organisation's security requirements and any regulatory changes.
  • Monitor Supplier Compliance: Use audits, performance reviews, and compliance checks to monitor supplier security practices and address any issues promptly.
  • Plan for Supplier Termination: Have a robust termination plan in place to ensure that all access rights are revoked, data is securely destroyed, and continuity is maintained when the agreement ends.

How Harpe.io Can Help Implement ISO 27001:2022 Annex A Control 5.20

Managing supplier agreements is a complex task, but Harpe.io makes it easier by helping your organisation integrate ISO 27001:2022 Annex A Control 5.20 into your supplier management processes.

  • Contract Management: Harpe.io allows you to store and manage supplier contracts, ensuring that security clauses are included and regularly updated.
  • Compliance Monitoring: Harpe.io helps track and monitor supplier compliance with your information security requirements, ensuring that suppliers meet the standards outlined in their agreements.
  • Audit Trails and Reporting: Harpe.io automatically logs and reports on supplier performance, providing valuable data for audits and reviews.
  • Termination and Handover Support: Harpe.io provides tools to manage the secure termination of supplier relationships, ensuring data protection and business continuity.

ISO 27001:2022 Annex A Control 5.20 ensures that organisations address information security within their supplier agreements, reducing the risks associated with third-party access to sensitive data and systems. By including comprehensive security clauses, monitoring supplier compliance, and planning for secure termination, organisations can protect their information assets throughout the supplier relationship.

With Harpe, managing supplier agreements becomes simpler, more transparent, and fully compliant with ISO 27001 standards. Ready to enhance your supplier management? Book a Demo and learn more about Harpe.

"Image Designed by vectorjuice / Freepik"

Related Posts

Get started with Harpe

Our goal is to make security and compliance easy and accessible to all businesses.

Book a demo

Free 14-day trial

No credit-card required

Streamline Illustration