In the world of information security, your protection is only as strong as the weakest link in your chain. Increasingly, that link isn’t inside your office—it is somewhere deep within your Information and Communications Technology (ICT) supply chain. With the release of ISO 27001:2022, the standard has taken a much more aggressive stance on how organisations must manage these external risks through Annex A 5.21.
If you are upgrading from the 2013 version, you might remember the old A.15.1.3 control. While the DNA is similar, Annex A 5.21 has evolved to address the complexities of modern SaaS, cloud infrastructure, and outsourced development. Let’s break down exactly what has changed and how you can stay ahead of the curve.
Table of contents
The Evolution from A.15.1.3 to Annex A 5.21
In the 2013 version, this control was numbered A.15.1.3 (Information and communication technology supply chain). It was a relatively short requirement that asked organisations to ensure their agreements with ICT suppliers addressed security risks. It often felt like a “set it and forget it” clause in a contract.
Fast forward to the 2022 update, and the control has been re-imagined as Annex A 5.21 (Managing information security in the ICT supply chain). It is now classified under the “Organisational Controls” theme. The primary shift here is from passive agreement to active management. According to the experts at Hightable.io, the 2022 version is a “preventive” control that demands you maintain an agreed level of security throughout the entire lifecycle of the product or service, not just at the point of purchase.
A Broader Definition of “ICT Supply Chain”
One of the most significant changes in Annex A 5.21 is the expansion of what counts as an ICT supplier. In 2013, the focus was primarily on traditional hardware and software vendors. The 2022 version reflects the modern reality that our supply chains are now multi-layered and digital-first.
The scope now explicitly includes:
- Cloud Service Providers (CSPs) and SaaS platforms.
- Managed Service Providers (MSPs) and external SOC teams.
- Outsourced software developers and code repositories.
- Upstream providers (your supplier’s suppliers).
This “look-through” requirement is a major step up from 2013. You are now expected to have visibility into the security practices of the entities that your own suppliers rely on.
Increased Focus on Supply Chain Transparency
The 2022 version of Annex A 5.21 places a much higher premium on transparency. In the past, you might have just checked if a vendor was “reputable.” Now, the standard encourages a more investigative approach. As highlighted by Hightable.io, you are now expected to request and understand the specific security functions of the ICT products you buy and how to configure them securely.
This includes identifying “critical components” within the products you use and ensuring their origin and authenticity can be traced. In an era of supply chain attacks targeting software updates, this requirement for traceability is a direct response to modern cybersecurity threats.
Integration with Business Continuity and Readiness
While the 2013 version kept supply chain and business continuity in somewhat separate boxes, the 2022 update bridges that gap. Annex A 5.21 is now closely linked with the new Annex A 5.30 (ICT readiness for business continuity).
You are now required to ensure that your ICT suppliers have robust continuity plans that align with your own. If a cloud provider goes down, your ISMS should be able to demonstrate that you’ve assessed that risk and have a plan for how to handle the disruption. This integrated approach ensures that your supply chain isn’t just secure—it’s resilient.
Practical Impact: Moving Beyond the Contract
If you are transitioning to the 2022 version, your implementation of Annex A 5.21 needs to be more “hands-on” than it was under the 2013 framework. It is no longer enough to have a signed contract in a drawer. Auditors are now looking for:
- A Dynamic Supplier Register: An up-to-date record of every external ICT service and tool, including risk scores and review dates.
- Monitoring and Validation: Evidence that you are actually checking if your suppliers are doing what they promised (e.g., reviewing their SOC 2 reports or penetration test summaries).
- Criticality Mapping: A clear list of which ICT products are “critical” to your operations and what the “fallback” plan is if they fail.
Hightable.io notes that one of the most common mistakes in the transition is failing to document “exceptions.” If a critical supplier refuses to sign your security annex, how are you managing that risk? The 2022 standard expects to see a formal risk waiver or an alternative control in place.
Why the Change is Essential for Modern Business
The shift from the 2013 version to ISO 27001:2022 Annex A 5.21 represents a shift from “compliance” to “governance.” It acknowledges that in a world of interconnected APIs and shared cloud infrastructure, your security boundary doesn’t end at your firewall.
By following the updated requirements, you aren’t just ticking a box for an auditor; you are building a more transparent and trustworthy business. For those looking to streamline this transition, using the structured supplier registers and risk assessment templates available at Hightable.io can help you manage these complex ICT relationships without the administrative headache.