What is ISO 27001 Annex A 5.20 in ISO 27001?
Annex A 5.20 requires documenting security obligations in supplier contracts. This process involves integrating specific clauses into your existing procurement workflows. Organisations must use internal document repositories like SharePoint to manage these agreements. This ensures security requirements remain an active part of the business contract lifecycle.
Auditor’s Eye: The Shortcut Trap
SaaS compliance platforms often offer generic green ticks for contract uploads. This creates a disconnect between legal teams and security functions. Auditors want to see internal versioning in SharePoint. This proves you reviewed specific risks for each vendor. Reliance on black box portals often masks a lack of genuine management intent. Auditors prefer evidence within your native document repositories. These tools show how your organisation actually manages risk daily.
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Nature of Change |
|---|---|---|
| A.15.1.2 | 5.20 | The core requirement remains similar. It focuses on contractual security obligations. |
How to Implement ISO 27001 Annex A 5.20 (Step-by-Step)
Successful implementation requires integrating security rules into your existing procurement infrastructure. Frame this as a cultural shift in how you buy services. Use your internal tools to maintain control of the process.
- Define Requirements: Create a list of security requirements in Confluence. Tailor these to different supplier risk profiles.
- Select Clauses: Build a library of approved security annexes in SharePoint. Include terms for data handling and breach notification.
- Formalise Workflow: Use Jira to track the procurement process. Make security approval a mandatory step before signing.
- Store Agreements: Upload all final signed contracts to a secure SharePoint site. Maintain a central register for easy access.
- Monitor Compliance: Use internal meeting minutes to document annual reviews. Ensure suppliers still meet the agreed security levels.
ISO 27001 Annex A 5.20 Audit Evidence Checklist
Lead auditors look for manual records and internal document versions. These prove human oversight and intent. Avoid showing external software dashboards during the audit.
- Signed supplier agreements containing the required security annexes.
- Version history of security clause templates in SharePoint.
- Jira logs showing security team approval for new vendors.
- Meeting minutes from management reviews of supplier contracts.
- Evidence of manual checks against supplier security performance.
Relational Mapping
Annex A 5.19 provides the high-level policy for supplier relationships. Annex A 5.20 turns that policy into legally binding contractual terms. This control also supports Clause 8.1 regarding operational planning. It ensures third parties do not introduce unmanaged risks into your environment. Proper mapping requires linking these clauses within your internal wiki.
Auditor Interview
Auditor: How do you ensure suppliers accept your security rules?
User: We include mandatory security annexes in our standard contracts.
Auditor: Where do you store the signed versions of these agreements?
User: We manage all legal documents within a secure SharePoint library.
Auditor: How do you co-ordinate the review between security and legal?
User: We use a Jira workflow to capture approvals from both departments.
Common Non-Conformities
| Failure Mode | Description of Non-Conformity |
|---|---|
| Automated Complacency | Relying on a SaaS platform tick without having actual signed evidence. |
| Generic Clauses | Using the same security annex for a cleaner and a SaaS provider. |
| Missing Signatures | Having a policy in SharePoint but no signed contract with the supplier. |
Frequently Asked Questions
What is ISO 27001 Annex A 5.20?
Annex A 5.20 requires organisations to document security requirements in agreements with suppliers. This process ensures third parties protect your data. You must integrate these rules into standard contracts. Use internal document repositories like SharePoint to manage these signed obligations.
How do you define security requirements in agreements?
Define requirements based on the type of supplier service. Include clauses for data encryption and access management. Add requirements for security incident reporting and audit rights. Store these approved templates in a version-controlled DBMS like Confluence.
Who is responsible for supplier security agreements?
The procurement and legal teams co-ordinate the contractual process. The information security manager provides the technical requirements. Together, they ensure the supplier accepts the security annex. Management must verify that signed contracts exist in the internal repository.