This rule is about ICT supplier management, which means a company must have a system to handle the management of its third party IT systems, products and services.
Table of contents
What is ISO 27001 Annex A 5.22?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Monitor, Review And Change Management Of Supplier Services”.
What is the ISO 27001 Annex A 5.22 control objective?
The formal definition and control objective in the standard is: “The organisation should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.“
What is the purpose of ISO 27001 Annex A 5.22?
The purpose of ISO 27001 Annex A 5.22 is “To ensure you maintain an agreed level of information security and service delivery in line with supplier agreements.“
Is ISO 27001 Annex A 5.22 Mandatory?
ISO 27001 Annex A control 5.22 (Monitor, Review And Change Management Of Supplier Services in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.22 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to put one person or team in charge of checking your suppliers. This person must have the skills and tools to track that requirements are being met. If something is not right, they must fix it.
Simply put, you must make sure that all the security rules in your legal agreements are followed.
This involves:
- Handling issues, problems, and security incidents as they happen.
- Checking on supplier changes to ensure they do not harm your business.
What You Need to Do
You are going to take these steps:
- You will watch how well your suppliers perform their service. You will most likely use reports or easy-to-read charts to do this.
- You must check for and respond to changes made by suppliers, such as updates or changes to their security rules.
- If the services provided by a supplier change, you must monitor and respond to those changes.
- You must watch the terms and conditions in your agreements to ensure they are followed.
- You need to check your suppliers to make sure they always maintain enough security.
This process is really quite simple. You need to have agreements in place, make sure they are followed, check them often, and fix things quickly when they go wrong. This is mostly just common sense.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
The auditor will check that you have agreements in place with your suppliers. These agreements must talk about information security rules. You need to show that these contracts are current and fully cover the products and services you buy from them.
2. ISO 27001 Supplier Register
You must use an ISO 27001 Supplier Register. This list helps you keep track of and manage your suppliers. Make sure your register is up to date and correctly shows how your company works right now.
3. Reviewing Your Documents
The auditor will look closely at all your papers and electronic records (audit trails). They will check that your documents are classified and labelled correctly. Every document you share with them that is secret should be clearly marked as confidential. They will also ask:
- Is the document current?
- Have you reviewed it in the past 12 months?
- Does the version number match your records?
