What is ISO 27001 Annex A 5.21 in ISO 27001?
ISO 27001 Annex A 5.21 requires a documented process for technology supply chain security. Organisations must define security requirements for ICT products and services. You must integrate these into procurement using tools like SharePoint or Jira. This control protects against risks from third-party technology components. It ensures integrity throughout the technology lifecycle.
Auditor’s Eye: The Shortcut Trap
Many firms rely on SaaS compliance portals for ICT vendor management. These platforms often provide generic questionnaires that vendors ignore. Auditors find this creates surface-level compliance only. We prefer seeing risk assessments within your native repositories. Jira tickets prove your team actually evaluated the vendor. SharePoint versioning shows your ICT contracts are managed locally. Black-box portals decouple security from your actual technology operations. True compliance requires evidence of internal oversight and intent.
Transition Table (2013 vs 2022)
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Change Type |
|---|---|---|
| A.15.1.3 Information and communication technology supply chain | 5.21 Managing information security in the ICT supply chain | Control renumbered and updated for clarity. Focus remains on ICT components. |
How to Implement ISO 27001 Annex A 5.21 (Step-by-Step)
The core requirement is establishing security rules for all technology providers. Use your existing business tools to document this process. Frame the implementation as a cultural change within procurement. Follow these steps to secure your ICT supply chain.
- Identify Providers: List all technology vendors in your SharePoint asset register. Include hardware and software providers.
- Assess ICT Risk: Create a Jira workflow for ICT risk assessments. Document how you verify component integrity.
- Define Requirements: Use Confluence to host security standards for ICT vendors. Include vulnerability and incident rules.
- Contract Management: Flow-down these requirements into signed agreements. Store all versions in SharePoint.
- Periodic Review: Schedule quarterly reviews of high-risk technology providers. Record all findings in meeting minutes.
ISO 27001 Annex A 5.21 Audit Evidence Checklist
Auditors look for manual records and internal document versions. These items prove human oversight and management intent. Ensure your evidence is stored in native systems.
- A SharePoint inventory of all ICT supply chain partners.
- Jira tickets showing completed risk assessments for technology vendors.
- Contracts with specific security clauses for ICT integrity.
- Meeting minutes documenting reviews of technology provider performance.
- Internal wiki pages outlining ICT component security requirements.
Relational Mapping
Annex A 5.21 depends on Clause 5.19 for general supplier policy. It supports Clause 8.1 regarding operational planning for technology. This control also informs Clause 8.8 for technical vulnerability management. Each control forms part of a cohesive management system. Use internal links in Confluence to map these dependencies.
Auditor Interview
Auditor: How do you identify security risks in your technology providers?
User: We conduct risk assessments using a standard Jira workflow for all ICT vendors.
Auditor: Where are your technology security requirements documented?
User: We host our ICT security standards on our internal Confluence wiki.
Auditor: How do you ensure these requirements are legally binding?
User: We flow-down all requirements into contracts stored in our SharePoint DBMS.
Common Non-Conformities
| Failure Mode | Description |
|---|---|
| Automated Complacency | Relying on a platform’s green tick without internal risk assessment records. |
| Incomplete Inventory | Failing to identify sub-contractors or secondary technology providers in SharePoint. |
| Missing Flow-downs | Contracts with ICT vendors lack specific security and integrity clauses. |
Frequently Asked Questions
What is ISO 27001 Annex A 5.21?
Bottom Line Up Front: Annex A 5.21 requires managing security risks throughout the technology supply chain. Organisations must document security requirements for ICT products and services. You should integrate these requirements into procurement and contract management. This control ensures technology components remain secure across their lifecycle.
How do you manage ICT supply chain risk?
Bottom Line Up Front: Manage ICT risk by mapping providers and conducting assessments. Use internal tools like Jira to track vendor evaluations. Document specific security requirements in contracts stored in SharePoint. This provides clear oversight of your technology dependencies.
What evidence do auditors need for ICT security?
Bottom Line Up Front: Auditors require risk assessments and signed contracts. They look for meeting minutes proving regular vendor reviews. Evidence must reside in internal repositories like SharePoint or Confluence. This proves human oversight and active management of technology risks.