In the transition from the 2013 version of ISO 27001 to the 2022 update, many organisations have found that the “Supplier Management” domain has received a significant level of attention. While the previous article in this series touched on the overarching relationship management (Annex A 5.19), Annex A 5.20 specifically zooms in on the legal engine of that relationship: the supplier agreement.
If you are managing an ISMS, you know that a contract is your primary line of defence. However, the 2022 update has raised the bar for what those contracts actually need to contain. Let’s explore how Annex A 5.20 differs from its 2013 predecessor and what you need to do to keep your agreements compliant.
Table of contents
From A.15.1.2 to Annex A 5.20: A Broader Scope
In the ISO 27001:2013 framework, this control was known as A.15.1.2 (Addressing security within supplier agreements). Its primary focus was on ensuring that security requirements were documented. It was relatively straightforward, often satisfied by a standard data processing addendum or a confidentiality clause.
The 2022 update has renamed this to Annex A 5.20 (Addressing information security within supplier agreements). While the name hasn’t changed much, the guidance behind it has grown significantly. It is now part of the “Organizational Controls” theme, reinforcing the idea that your legal agreements are a cornerstone of your governance strategy.
More Granular Guidance Points
One of the most striking changes is the level of detail provided in the implementation guidance (found in ISO 27002:2022). The update now lists nearly 25 specific points that organisations should consider including in their contracts. In 2013, the list was far less prescriptive.
According to the compliance experts at Hightable.io, Annex A 5.20 now places much more emphasis on the “technical” side of the legal agreement. It isn’t just about saying “be secure”; it is about defining the specific standards for the supplier’s ICT infrastructure, such as patching requirements and malware protection, right there in the contract.
New Emphasis on Data Destruction and Redundancy
In the 2013 version, the end of a supplier relationship was often an afterthought. The 2022 version corrects this by putting a spotlight on the “exit.” Annex A 5.20 now explicitly highlights the need for:
- Handover Procedures: Clear rules on how data and services are transferred back to you or to a new supplier.
- Information Destruction: Specific requirements for the secure deletion of your data once a contract ends, often requiring a formal certificate of destruction.
- Redundancy and Backups: As noted by Hightable.io, the updated guidance suggests that agreements should specify the supplier’s obligations regarding backup frequency, location, and type to ensure your business continuity isn’t compromised by their failure.
Incident Management and Reporting
While the 2013 version mentioned incident reporting, Annex A 5.20 goes much further. It requires that agreements describe a “mutual incident management procedure.” This means the contract shouldn’t just say “tell us if there is a breach,” but should detail how you will collaborate, what the notification timelines are, and who the points of contact will be.
This change reflects the modern regulatory environment, where a breach at a supplier can trigger strict reporting windows for the data controller (you). If your supplier agreement doesn’t mandate a 24 or 72-hour notification window, you may find yourself in breach of the law because of their delay.
The “Right to Audit” Just Got Stronger
The 2022 version places a heavier emphasis on verification. It isn’t enough to have a “right to audit” clause that sits in a drawer. Annex A 5.20 suggests that for high-risk suppliers, you should mandate third-party attestations (like SOC 2 reports or their own ISO 27001 certificates) and periodic reports on the effectiveness of their controls.
Hightable.io highlights that auditors are increasingly looking for evidence that these audit rights are being exercised or at least managed through a risk-based schedule. If you have a high-risk supplier but haven’t checked their security status in three years, you’ll likely face a non-conformity under the 2022 standard.
Practical Impact: Updating Your Contract Templates
If you are transitioning to ISO 27001:2022, your task for Annex A 5.20 is a “contract audit.” You need to look at your standard supplier templates and existing high-risk contracts to see if they cover these updated areas. Key questions to ask include:
- Do our contracts specify requirements for the supplier’s ICT security (e.g., encryption, patching)?
- Is there a clear procedure for data return or destruction upon termination?
- Does the contract specify how the supplier will notify us of security incidents?
- Do we have a record of these agreements in a centralized “Supplier Register”?
Many organisations are finding that they need to create a “Supplier Security Annex” that they can simply attach to every new contract to ensure all 25 guidance points are addressed. Hightable.io recommends this modular approach as it prevents you from having to renegotiate the entire “master service agreement” every time you need to update a security control.
Why This Change is a Game Changer
The shift from the 2013 version to ISO 27001:2022 Annex A 5.20 is about shifting power back to the customer. It encourages organisations to be more demanding of their suppliers and more proactive in their oversight. By formalising these expectations in the agreement, you move from a relationship based on “trust” to one based on “verified security.”
For those navigating this transition, utilising the contract checklists and supplier management templates at Hightable.io can significantly reduce the administrative burden of bringing your legacy agreements up to the new 2022 standard.