This rule is about ICT supplier management, which means a company must have a system to handle the information security risks of its third party IT systems, products and services.
Table of contents
What is ISO 27001 Annex A 5.21?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Managing Information Security In The ICT Supply Chain”.
What is the ISO 27001 Annex A 5.21 control objective?
The formal definition and control objective in the standard is: “Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.“
What is the purpose of ISO 27001 Annex A 5.21?
The purpose of ISO 27001 Annex A 5.21 is “To ensure you maintain an agreed level of information security in supplier relationships.“
Is ISO 27001 Annex A 5.21 Mandatory?
ISO 27001 Annex A control 5.21 (Managing Information Security In The ICT Supply Chain in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.21 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You already know that ICT means Information and Communications Technology. This includes services like cloud computing.
When you set up new systems, you should build upon good practices that your company already uses. This includes your best methods for project management, quality control, and general engineering. You are not trying to replace those existing practices.
You must make sure that you do the following:
- You include security rules when you buy new products or services.
- You make sure your suppliers pass along your security rules if they use other subcontractors.
- You ask product makers what software parts they use, and you understand the answer.
- You ask about a product’s security features and know how to set them up safely.
- You check that your suppliers are meeting your security rules through monitoring.
- You find and write down which products and services are most important (critical).
- You can trace where important parts came from in the supply chain.
- You get proof that products are working the way they should.
- You get proof that products meet the necessary security standards.
- You have rules for sharing information about security problems or breaches.
- You have a process for handling the life span of components and related security risks.
- You have thought about backup suppliers and how you would switch to them if you needed to.
You should always buy your products and services from trustworthy sources.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Supplier Agreements
The auditor will make sure you have agreements in place with all your suppliers. These agreements must clearly cover the information security rules that they need to follow. They will also check that your agreements are current and cover all the products or services you get from those suppliers.
2. ISO 27001 Supplier Register
You need an ISO 27001 Supplier Register. You use this list to track and manage everyone who supplies you. Make sure your register is completely up to date and matches how your company actually works right now.
3. Documentation
The auditor will look at your audit trails and all your written documents. They want to see that everything is classified and labelled. If any documents you show them are secret, you must mark them as confidential. The auditor will also ask you to confirm:
- Is the document current?
- Have you reviewed it in the last year (12 months)?
- Does the version control match your records?
