ISO 27001:2022 Annex A Control 5.21 – Monitoring and Review and Change Management of Supplier Services

ISO 27001:2022 Annex A Control 5.21 – Managing Information Security in the ICT Supply Chain

In an interconnected digital world, your organisation’s security relies on the security of its suppliers, particularly those in the ICT (Information and Communication Technology) supply chain. ISO 27001:2022 Annex A Control 5.21 outlines guidelines for managing and securing ICT supplier relationships, ensuring that all components, products, and services meet high-security standards before being integrated into your systems.

This post explains Annex A Control 5.21, its importance, and practical steps for managing information security risks across the ICT supply chain.

What Is ISO 27001:2022 Annex A Control 5.21?

Annex A Control 5.21 is designed to help organisations manage security risks in the ICT supply chain by establishing an “agreed level of security” with suppliers. This control applies to any ICT products, services, and components—whether hardware or software—provided by external vendors and third parties. It ensures that these suppliers meet your security standards and that they have robust processes in place to prevent breaches or vulnerabilities from entering your organisation through third-party products.

Purpose of ISO 27001:2022 Annex A Control 5.21

The primary purpose of Annex A Control 5.21 is to set clear information security expectations for ICT suppliers and ensure that these standards are upheld throughout the supply chain. This control is essential for safeguarding your organisation against risks associated with third-party ICT products and services. By enforcing these guidelines, organisations can prevent the introduction of security vulnerabilities through external components, minimise data breaches, and ensure continuity in the ICT supply chain.

Ownership of Annex A Control 5.21

Annex A Control 5.21 should be managed by those responsible for overseeing ICT supplier relationships, typically roles such as the Chief Technical Officer (CTO) or the Head of Information Technology (IT). These individuals are responsible for acquiring, managing, and renewing ICT supplier relationships and ensuring that suppliers comply with the organisation’s information security requirements.

Implementing ISO 27001:2022 Annex A Control 5.21

To ensure compliance with Annex A Control 5.21, organisations should establish formal agreements with ICT suppliers and perform regular security checks. Here are key steps to implement this control:

1. Define Security Standards for ICT Suppliers:Draft information security standards that specify how suppliers should secure ICT products and services. These standards should cover aspects like access control, data encryption, and incident response.
2. Ensure Subcontractor Compliance:If ICT suppliers subcontract part of the service to third parties, require them to ensure that all subcontractors comply with your organisation’s security standards. This extends security requirements throughout the supply chain.
3. Communicate Security Requirements to Vendors:When a supplier relies on third-party components, ensure that they communicate your organisation’s security requirements to these vendors, ensuring that each layer of the supply chain meets your standards.
4. Understand Software Components and Functionality:Request detailed information about the nature, function, and origin of each software component. This ensures that each product or service meets your security standards without introducing vulnerabilities.
5. Assess Criticality of ICT Components:Identify and assess which components are essential for core functionality. Document and track these elements, especially those that could affect security if tampered with or removed.
6. Log Critical Components Through the Supply Chain:Suppliers should track and maintain audit logs for critical components throughout the supply chain. This step enables traceability and verifies that components maintain their integrity from development to delivery.
7. Obtain Security Assurances for ICT Products:Request supplier assurances that all ICT products and services comply with industry standards and don’t contain hidden or insecure features that could pose security risks. This can be verified with certifications, security documentation, or independent assessments.
8. Confirm Authenticity of ICT Components:Suppliers should provide anti-tampering assurances, confirming that the hardware and software components they deliver have not been altered in transit or during development. Where possible, implement checks or certification of authenticity for critical components.
9. Adhere to Industry Security Standards:Require suppliers to meet industry-standard security practices. This may include formal certifications (e.g., Common Criteria Certification) or documented compliance with recognised information security frameworks.
10. Define Data Handling and Conflict Resolution:Suppliers must understand their data handling obligations and the conflict resolution procedures if issues arise. This includes clarifying how they will handle and secure your data, particularly in shared supply chain operations.
11. Manage Risks of Unsupported Components:For legacy or unsupported components, implement procedures to mitigate risks, such as additional monitoring or limited access. Ensure there is a plan to replace or update these components if they become unmanageable.

Supplementary Guidance for Annex A Control 5.21

Annex A Control 5.21 complements existing supply chain management policies by adding ICT-specific security expectations. ISO recognises that organisations may not always be able to verify every detail of a supplier’s internal processes. However, organisations should still establish supplier-specific checks and outline supplier security responsibilities in contracts to ensure that security standards are upheld.

Changes from ISO 27001:2013

ISO 27001:2022 Annex A Control 5.21 replaces ISO 27001:2013 Annex A Control 15.1.3. While the fundamental guidance remains, the 2022 version introduces several new areas of focus:

1. Greater Emphasis on Component Authenticity and Integrity:The updated control highlights the need for ICT suppliers to provide detailed component-level security assurances, including tracking critical elements throughout the supply chain.
2. New Requirements for Hardware and Software Security Features:Suppliers are now expected to provide documentation on security features for hardware and software, including their proper use, to prevent security risks due to unfamiliarity with the component’s functions.
3. Risk Management for Unsupported Components:The updated control recognises the growing risk of legacy systems and unsupported components, requiring organisations to have procedures for managing these risks.

Best Practices for Managing Information Security in the ICT Supply Chain

To comply with Annex A Control 5.21 effectively, organisations should integrate these best practices:

• Regularly Audit ICT Suppliers: Periodically assess suppliers’ compliance with information security standards. Audits should cover component integrity, data handling practices, and adherence to security certifications.
• Maintain Detailed Documentation: Track and document all components and products delivered by suppliers, particularly those considered critical for core functionality or security. This allows for quick verification of component integrity in the event of a security incident.
• Incorporate Security in Supplier Contracts: Include specific clauses in supplier contracts that outline security requirements, data handling protocols, and incident response expectations.
• Verify Anti-Tampering Measures: For critical components, require suppliers to use tamper-proof packaging, secure delivery methods, and traceable component histories to prevent unauthorised modifications.
• Establish Legacy Component Policies: For older systems, establish monitoring, risk assessment, and support protocols, ensuring that risks associated with outdated components are managed proactively.

How Harpe.io Can Help Implement ISO 27001:2022 Annex A Control 5.21

Harpe.io provides tools to simplify and enhance ICT supply chain security, helping your organisation comply with ISO 27001:2022 Annex A Control 5.21. Here’s how Harpe.io can support your ICT supply chain management:

• Automated Supplier Audits and Compliance Tracking: Harpe.io enables automated tracking of supplier compliance with information security standards, providing real-time updates and alerts for any potential non-compliance issues.
• Component Tracking and Documentation: Harpe.io helps organisations document and track each ICT component and software detail provided by suppliers, ensuring core functionality elements are recorded and traceable.
• Risk Assessment Tools for Unsupported Components: Harpe.io offers tools to assess the risks associated with legacy or unsupported ICT components, providing actionable insights to manage these risks effectively.
• Contract and Policy Management: Harpe.io allows organisations to store, manage, and update ICT supplier contracts, ensuring that security clauses are consistently enforced and reviewed for compliance.

Conclusion

ISO 27001:2022 Annex A Control 5.21 helps organisations protect their systems by managing security risks in the ICT supply chain. By setting clear security expectations for ICT suppliers and continuously monitoring component integrity, organisations can prevent vulnerabilities and reduce risks associated with third-party products and services.

With Harpe managing ICT supply chain security becomes straightforward and efficient, helping your organisation maintain compliance with ISO 27001 standards. Ready to secure your ICT supply chain? Get started with Harpe today!