Managing information security within your own four walls is challenging enough, but ensuring your suppliers are keeping up their end of the bargain is a whole different ball game. In the jump from ISO 27001:2013 to the 2022 version, the standard sharpened its focus on how we oversee these external partners. This brings us to Annex A 5.22: Monitoring, review and change management of supplier services.
If you are transitioning your Information Security Management System (ISMS), you’ll find that Annex A 5.22 isn’t exactly “new,” but it has been significantly streamlined. It’s no longer just about having a contract; it’s about active, ongoing oversight. Let’s look at the transition from the fragmented 2013 approach to the unified 2022 standard.
Table of contents
Consolidation: Two Controls Become One
In the 2013 version of the standard, the rules for watching over your suppliers were split into two distinct sub-controls under Domain A.15:
- A.15.2.1: Monitoring and review of supplier services.
- A.15.2.2: Managing changes to supplier services.
The 2022 update merges these into a single, comprehensive control: Annex A 5.22. This consolidation is a logical move. You cannot effectively monitor a supplier without also managing the changes they make to their service, and you can’t manage changes if you aren’t monitoring them in the first place. By merging these, the standard encourages a more holistic view of the supplier lifecycle.
A Move Toward Active Governance
One of the biggest shifts in Annex A 5.22 is the move away from “passive” compliance. In 2013, many organisations satisfied this requirement by simply filing away an annual SOC 2 report from their vendors. While that is still part of the process, the 2022 version expects more proactive governance.
According to the experts at Hightable.io, the new control emphasizes that monitoring should be proportional to the risk. If a supplier is “critical”, meaning they handle your most sensitive data or keep your core services running, your review process needs to be more frequent and detailed. You aren’t just looking at whether the service is “up”; you are reviewing their security incident logs, their vulnerability disclosure reports, and even their own internal audit results where possible.
Managing the “Change” in Supplier Services
The “change management” aspect of Annex A 5.22 is where many organisations find the most significant difference. In the 2013 version (A.15.2.2), this was often interpreted as managing changes you made to the contract. The 2022 update makes it clear that you must also manage changes the supplier makes.
This includes updates to their software, changes to their physical data centre locations, or even shifts in their own sub-contractors. As noted by Hightable.io, if your cloud provider moves your data from a UK server to a US server, Annex A 5.22 requires you to have a process to catch that change, assess the risk (such as data sovereignty issues), and respond accordingly. It transforms change management from a legal exercise into a technical security check.
What Auditors Are Looking For in the 2022 Version
If you are heading into a transition audit, the “evidence” required for Annex A 5.22 has become more tangible. It’s no longer enough to say you have a good relationship with your vendor. Auditors will be looking for:
- Performance Dashboards or Reports: Evidence that you are tracking uptime, incident response times, and security KPIs against the agreed Service Level Agreements (SLAs).
- Review Meeting Minutes: Proof of regular dialogue with critical suppliers where security was an agenda item.
- Verification of Independent Audits: Records showing you haven’t just received a supplier’s certificate, but that you’ve actually reviewed the report and noted any “exceptions” or “areas for improvement.”
- Change Logs: A record of significant changes reported by suppliers and your internal assessment of the security impact of those changes.
Practical Impact: Modernising Your Supplier Register
To meet the requirements of Annex A 5.22, your Supplier Register needs to evolve. It should no longer be a static list of contacts. Instead, it should act as a management tool. Hightable.io suggests that your register should include “risk tiers,” allowing you to automate different monitoring schedules for different suppliers.
For example, a low-risk office stationery supplier might only need an annual review of their basic terms, whereas your primary Cloud Infrastructure provider would require monthly performance reviews and immediate notification of any security configuration changes.
Why This Update is Better for Your Business
The transition from the 2013 version to ISO 27001:2022 Annex A 5.22 reflects a world where we no longer own our infrastructure—we rent it. Because we are so dependent on third parties, our security is fundamentally tied to theirs.
By unifying monitoring and change management, the standard helps you build a more resilient “extended enterprise.” It moves supplier management out of the procurement office and into the security operations centre. For those looking to simplify this transition, using the automated vendor monitoring templates and risk-scoring tools at Hightable.io can turn a complex compliance task into a streamlined, high-value security process.