ISO 27001 Annex A 5.20 – Addressing Information Security Within Supplier Agreements

ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements

ISO 27001 Annex A 5.20 is a simple rule. It says that your business must create and agree upon information security rules with all your suppliers.

Table of contents

What Does This Mean?

This rule is about putting a legal plan in place. This plan is often a formal contract, a business agreement, or set of terms. This legal document makes sure that your suppliers protect the data they handle for you.

Why is this Important?

Suppliers are one of the biggest risks your business faces. You cannot manage them day-to-day. Yet, you depend on them, they hold your data, and they offer services you need to succeed. Using a formal agreement helps you control that risk, even from a distance.

What is ISO 27001 Annex A 5.20?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Addressing Information Security Within Supplier Agreements”.

What is the ISO 27001 Annex A 5.20 control objective?

The formal definition and control objective in the standard is: “Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

What is the purpose of ISO 27001 Annex A 5.20?

The purpose of ISO 27001 Annex A 5.20 is “To ensure you maintain an agreed level of information security in supplier relationships”

Is ISO 27001 Annex A 5.20 Mandatory?

ISO 27001 Annex A control 5.20 (Addressing Information Security Within Supplier Agreements in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.

The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.20 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.

Why is ISO 27001 Annex A 5.20 Important?

The rule in ISO 27001 called “Information Security In Supplier Relationships” is very important because suppliers are often the biggest risk to your company.

Think of it this way:

  • If your suppliers do not handle information correctly, your reputation is at risk.
  • Your money is also at stake.
  • Your overall success could be harmed.

By getting your supplier management right, you can greatly reduce these risks.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. This rule is mainly about having a clear process for:

Finding and Classifying Suppliers

  • Identifying Suppliers: Find and clearly write down the names and details of all your suppliers.
  • Supplier Types: Note the different kinds of suppliers you work with.

Checking Security and Access

  • Evaluating Suppliers: Check suppliers based on how they handle, send, or share your information.
  • Reviewing Controls: Look closely at the security rules and safeguards the supplier has in place.
  • Documenting Access: Write down exactly what information and systems suppliers can look at, track, manage, or use.
  • People and Physical Security: Decide how much security is needed for the supplier’s staff and buildings.

Managing Risks and Compliance

  • Assessing and Managing Risks: Check for and handle any potential dangers related to using that supplier.
  • Monitoring Security: Watch the supplier to make sure they follow all the information security rules.
  • Fixing Issues: If a supplier does not follow the rules, put plans in place to fix the problem.

Handling Ongoing Operations

  • Incident Handling: Have a plan for dealing with security problems or incidents right away.
  • Availability and Recovery: Make sure they have plans for keeping things running (business continuity) and recovering from a disaster.
  • Managing Information Transfer: Manage the process for sending information to and from the supplier safely.

Ending a Relationship

  • Terminating Relationships: Define a clear process for safely ending a working relationship with a supplier.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will check:

1. Your Supplier Management Process

The auditor will review your rules, steps, and methods for handling suppliers. They want to be sure you followed these steps exactly. To pass this check, make sure:

  • You have a complete list of all your suppliers.
  • You have written contracts or agreements for every supplier.
  • You have proof that your suppliers are handling your information securely.

2. Your ISO 27001 Supplier Register

You must have an ISO 27001 Supplier Register. You use this list to keep track of and manage all your suppliers. Make sure this register is current and truly shows how your company works now.

3. Documentation Checks

The auditor will look closely at your documents and audit trails. They will check that your documents are classified and labelled correctly. For instance, any document you show them that is secret or sensitive should be clearly marked as confidential. They will also check:

  • Is the document up to date?
  • Has someone reviewed it in the past 12 months?
  • Does the version number on the document match your records?

Related Posts