Implementing ISO 27001 Annex A 8.21 Security of Information in the ICT Supply Chain
Welcome to this guide on one of the more critical controls in the modern information security landscape. If you are looking to achieve certification, you likely know that the way you handle your technology partners matters. We see many organisations struggle here, but at ISO27001.com, we want to make sure you get it right the first time.
Annex A 8.21 is titled Security of information in the ICT supply chain. That sounds like a mouthful, but it basically means you need to trust but verify the technology products and services you buy. Whether it is cloud hosting, software development, or hardware procurement, the risks in your supply chain are now your risks. Here is how you can implement this control effectively and what we, as a certification body, expect to see.
Table of contents
Understanding the Requirement
The main goal of this control is to manage the security risks associated with the information and communication technology (ICT) products and services you use. You cannot simply buy a software tool and assume it is secure. You have to define security requirements and ensure your suppliers meet them.
When we audit this, we look for a process. We want to see that you have thought about what happens if a supplier fails or gets hacked. It is about extending your security bubble to cover the parts of your business that you do not own but definitely rely on.
Identify Your ICT Suppliers
You cannot secure what you do not know about. Your first step is to create an inventory of all ICT suppliers. This includes your internet service provider, your cloud storage, your CRM system, and even the company that supports your printers.
We often see clients miss the smaller providers. Make sure you talk to your finance team to see who you are paying. Once you have a list, you should categorise them based on risk. A supplier hosting your entire customer database is much higher risk than the one providing your office Wi-Fi.
Define Your Security Requirements
Before you sign a contract, you need to know what you want. You must define what security looks like for that specific relationship. Does the data need to be encrypted? Do they need to have ISO 27001 certification themselves? Do you need the right to audit them?
If you do not write these down, you cannot enforce them. We expect to see a document that lists standard security requirements for different types of suppliers. This shows us that you are proactive rather than reactive.
Assess the Supplier
This is the due diligence phase. Before you onboard a new vendor, you must check if they can meet your requirements. You might send them a security questionnaire or check their existing certifications.
For high-risk suppliers, you might need to go deeper. This could involve reviewing their penetration test results or having a call with their security officer. Keep records of this assessment. If we ask why you chose a specific vendor, show us the assessment that proves they were safe.
The Agreement
Once you are happy with the risk level, you need to put it in writing. The contract or service level agreement (SLA) must include security clauses. This is where many fail during an audit. You might have a great process, but if the contract does not mention security, you have no legal lever to pull if things go wrong.
Ensure the agreement covers things like incident reporting. If they get hacked, they must tell you within a specific timeframe. It should also cover what happens to your data if the contract ends.
Monitoring the Supply Chain
Your job does not end after the contract is signed. Supply chains change. A secure vendor today might be insecure tomorrow. You need a process for regular monitoring.
This could be an annual review of their performance or checking if they renewed their own security certificates. For critical suppliers, you might track the software components they use to ensure they do not introduce vulnerabilities into your environment.
What the Auditor Wants to See
When an auditor from a body like ours visits, we are looking for evidence. We do not just want to hear that you trust your vendors. We want proof. Here is a quick checklist of what we usually ask for:
- A list of your ICT suppliers and their risk ratings.
- Evidence of due diligence, such as completed questionnaires or reviewed certificates.
- Contracts that clearly state security requirements.
- Records of ongoing monitoring or annual reviews.
If you use the templates and guidance available on ISO27001.com, you will likely have the structure we are looking for. We want to see that you are in control of your data, even when it leaves your building.
Common Mistakes to Avoid
One common mistake is treating all suppliers the same. You do not need to audit the supplier of your lunchroom coffee machine the same way you audit your cloud provider. Waste your energy where the risk is highest.
Another mistake is failing to update your records. We often find supplier lists that are two years old. Make sure your asset owner reviews the relationship regularly. If a supplier changes their service, re-assess the risk.
Conclusion
Implementing Annex A 8.21 is about building a secure ecosystem. It acknowledges that in a connected world, you are only as strong as your weakest link. By identifying your suppliers, setting clear rules, and monitoring them, you reduce the chance of a third-party breach affecting your business.
Take it step by step. Start with your most critical vendors and work your way down. If you follow this logical approach, you will satisfy the certification body and, more importantly, keep your organisation safe.