What is ISO 27001 Annex A 5.22 in ISO 27001?
ISO 27001 Annex A 5.22 is a documented process for overseeing third-party service delivery. Organisations must monitor supplier performance against security requirements. This includes reviewing reports and managing contractual changes. Integrate these activities into business-as-usual tools like SharePoint and Jira. This ensures continuous security alignment throughout the supplier relationship.
Auditor’s Eye: The Shortcut Trap
Reliance on automated SaaS platforms often leads to surface-level compliance. These “black box” tools provide generic checklists that decouple security from operations. Auditors find these platforms hide a lack of management ownership. We prefer seeing evidence within your native document repositories. Meeting minutes in SharePoint prove actual human discussion occurred. Jira workflows show real-time change management. Automated green ticks in an external app rarely satisfy a lead auditor. Genuine compliance requires manual records within your primary organisational tools.
Transition Table: 2013 vs 2022
| 2013 Control Reference | 2022 Control Reference | Key Change |
|---|---|---|
| A.15.2.1, A.15.2.2 | 5.22 | Merged monitoring, review, and change management into one control. |
How to Implement ISO 27001 Annex A 5.22 (Step-by-Step)
Implementation requires integrating supplier oversight into your existing workflow tools. Frame this as a cultural change within procurement and IT. Lead with the core requirement: documented evidence of active monitoring and change control.
- Identify Key Suppliers: List all suppliers with access to sensitive information in SharePoint.
- Schedule Reviews: Create recurring tasks in Jira for quarterly service reviews.
- Analyse Reports: Review supplier security reports and document your internal findings.
- Document Changes: Use Jira to track all modifications to supplier services or agreements.
- Perform Audits: Conduct periodic audits of high-risk suppliers and save reports in Confluence.
ISO 27001 Annex A 5.22 Audit Evidence Checklist
Auditors look for manual records that prove human oversight and intent. Avoid showing external dashboards. Use your internal document versions.
- Dated meeting minutes in SharePoint discussing supplier security performance.
- Jira change tickets showing risk assessments for new supplier features.
- Internal audit reports documenting on-site or remote supplier inspections.
- Supplier service reports with internal management review signatures.
- Evidence of updated security requirements in Confluence wiki pages.
Relational Mapping
Annex A 5.22 depends on Clause 5.19 for the initial supplier security policy. It supports Clause 5.20 by ensuring contractual obligations are met. This control also feeds into Clause 5.7 (Threat Intelligence) for supplier-specific risks. Each review contributes to the overall risk management process in Clause 6.1.2.
Auditor Interview
Auditor: How do you verify your cloud provider maintains security standards?
User: We review their annual SOC2 reports and log the review in SharePoint.
Auditor: What happens when a supplier changes their data centre location?
User: We initiate a change ticket in Jira to assess the new risk.
Auditor: Where do you record performance issues with a vendor?
User: We document all issues and remedial actions in our monthly review minutes.
Common Non-Conformities
| Failure Mode | Audit Finding |
|---|---|
| Automated Complacency | Relying on a SaaS platform’s “verified” status without internal procedural evidence. |
| Lack of Change Control | Modifying supplier service scope without a documented security risk assessment. |
| Missing Minutes | Claiming to perform reviews but having no dated records in SharePoint. |
Frequently Asked Questions
How should organisations monitor supplier services?
Bottom Line Up Front: Organisations must check supplier performance against agreed security requirements. Review service reports and conduct audits regularly. Record these activities in internal document systems. This proves active management and accountability. Modular records help demonstrate continuous compliance over time.
What is required for supplier change management?
Bottom Line Up Front: Changes to supplier services must be managed through a formal process. Assess security risks before implementing changes. Update contracts and internal procedures as necessary. Use version-controlled documents to track these updates. Manual oversight ensures that security is never compromised by change.
Who is responsible for reviewing supplier security?
Bottom Line Up Front: The designated contract manager or asset owner holds responsibility. They must verify that suppliers maintain agreed security levels. Management must review these findings periodically. Documented evidence of these reviews is mandatory for compliance. Do not delegate this responsibility to an automated platform.