As we keep going through the Organisational controls of ISO 27001:2022, this article focuses on controls A.5.19 through to A.5.23. We will cover all things related to suppliers, including agreements, managing security within the supply chain and monitoring, review and managing changes with your suppliers. We will also include specific details about cloud suppliers.
A.5.19 Information security in supplier relationships
The objective of this clause is to ensure you have policies and procedures in place protect your organisation’s assets that are accessible by suppliers.
Areas covered often include:
- Supplier access
- Processing facilities
- Storage
- Communication
- IT infrastructure components
A.5.20 - Addressing information security within supplier agreements
The aim of this control is to ensure that all information security requirements are agreed with each supplier based on the risks of the individual supplier.
The process for this is to:
- Review all your assets you are managing as part of A.5.9 Inventory of information and other associated assets.
- Check that controls for mitigating the risks associated with your supplier’s access to those assets are agreed with the supplier.
- Document the agreements.
Once the supplier interactions and risks are documented, they should be discussed with the supplier’s management and then documented those into your supplier agreements.
A.5.21 - Managing information security in the information and communication technology (ICT) supply chain
This control aims to ensure that risks associated with the whole ICT Supply Chain are addressed.
This can be achieved by ensuring that all of the requirements determined with your supplier(s) in A.5.19 and A.5.20 flow down to any of their suppliers. This should be discussed with your supplier, to ensure you are aware of their use of suppliers, and documented in any agreements to ensure that your requirements and their responsibilities are incorporated in any agreements between your supplier and their suppliers.
A.5.22 - Monitoring, review and change management of supplier services
The objective here is to maintain your agreed level of information security and service delivery in line with your supplier agreements. This control is closely related to the A.5.19 above.
Firstly, you need to regularly monitor, review and audit supplier service to your business.
Performance can be monitored during periodic management meetings as well as in the formal Management Review. Suppliers should be monitored periodically, often annually. An supplier assessment checklist for this is a good way to ensure that you cover all criteria and that it remains consistent.
Depending on what your supplier is supplying, ongoing assessment based on service delivery or quality is often used to assess suppliers. Ensuring that you have criteria to assess them is vital here.
Secondly you need to manage the changes to services by your suppliers. This includes maintaining and improving information security policies, procedures and controls. You need to take into account the criticality of business information, systems and processes involved and re-assessment of risks.
The change management system can be used to manage changes to the provision of service. We check the risks involved and seek signoff along the process.
A.5.23 - Information security for use of cloud services
The aim of this clause is to ensure that policies are established on the use of cloud services and associated risks. This can be an extension on how you manage services provided by external parties as outlined in A.5.21 and A.5.22 and should be communicated with relevant interested parties.
Each agreement you make with a cloud service provider should address issues such as confidentiality, integrity, availability and information handling requirements you have. Before entering an agreement, risks assessments should be carried out to identify and mitigate risks, with residual risks clearly identified and accepted by appropriate management of the business.
Takeaways
Key takeaways for managing information within your supply chain include:
- Look to create mutually beneficial relationship with your critical suppliers
- Review assets and how your suppliers access and interact with them and agree on controls with suppliers
- Document these into agreements with suppliers
- Monitor and review supplier performance against the agreements.
- View the previous post in the series: Guarding the Gates: Effective Identity and Access Strategies for implementing Clauses A.5.15 - A.5.18
- Read the next post in the series: From Prevention to Recovery: A Guide to Business Continuity and Incident Management in Controls A.5.24 to A.5.30
DQS Newsletter
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.