Supplier Relationships

ISO 27001 Annex A.15

What is the objective of Annex A.15.1 of ISO 27001:2013?

Annex A.15.1 is about information security in supplier relationships. The objective here is protection of the organisation’s valuable assets that are accessible to or affected by suppliers.  We also recommend that you also consider other key relationships here too, for example partners if they are not suppliers but also have an impact on your assets that might not simply be covered by a contract alone.  This is an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth now.

A.15.1.1 Information Security Policy for Supplier Relationships

Suppliers are used for two main reasons; one: you want them to do work that you have chosen not to do internally yourself, or; two: you can’t easily do the work as well or as cost effectively as the suppliers.

There are many important things to consider in approach to supplier selection and management but one size does not fit all and some suppliers will be more important than others.  As such your controls and policies should reflect that too and a segmentation of the supply chain is sensible; we advocate four categories of supplier based on the value and risk in the relationship.  These range from those who are business critical through to other vendors who have no material impact on your organisation.

Some suppliers are also more powerful than their customers (imagine telling Amazon what to do if you are using their AWS services for hosting) so it’s pointless having controls and policies in place that the suppliers will not adhere to.  Therefore reliance on their standard policies, controls and agreements is more likely – meaning the selection and risk management becomes even more important. 

In order to take a more forward approach to information security in the supply chain with the more strategic (high value / higher risk) suppliers, organisations should also avoid binary ‘comply or die’ risk transferring adversarial practises e.g. awful contracts preventing good collaboration. Instead develop more close working relationships with those suppliers where there are high value information and assets at risk or they are adding to your information assets in some way. This is likely to lead to improved working relationships, and therefore, deliver better results.

A good policy describes the segmentation, selection, management, exit, and how information assets around suppliers are controlled in order to mitigate the associated risks, yet still enable the business goals and objectives to be achieved. Smart organisations will wrap their information security policy for suppliers into a broader relationship framework and avoid just concentrating on security per se, looking to the other aspects as well.

An organisation may want suppliers to access and contribute to certain assets (e.g. software code development, accounting payroll information).  and they would therefore need to make clear agreements of exactly what access they are allowing them, so they can control the security around this. This is especially important at the moment with more and more information management, processing and technology services being outsourced – requiring these supplier relationships to be managed in a formal manner in regards to information security.  That means having a place to show management of the relationship is happening; contracts, contacts, incidents, relationship activity and risk management etc. Where the supplier is also intimately involved in the organisation, but may not have its own certified ISMS, then ensuring the supplier staff are educated and aware of security, trained on your policies etc is also worth demonstrating compliance around.


A.15.1.2 Addressing Security Within Supplier Agreements

All relevant information security requirements must be in place with each supplier that has access to or can impact the organisation’s information (or assets that process it). Again this should not be a one size fits all – take a risk based approach around the different types of suppliers involved and work they do.

Working with suppliers that already meet the majority of your organisations information security needs for the services they provide to you and have a good track record of addressing information security concerns responsibly is a very good idea – as it will make all of these processes much easier. In simple terms, look for suppliers that already have achieved an independent ISO 27001 certification or equivalent themselves.  

It is also important to ensure that the suppliers are being kept informed and engaged with any changes to the ISMS or specifically engaged around the parts that affect their services. Your auditor will want to see this evidenced – so, by keeping a record of this in your supplier on-boarding projects or annual reviews it will be easy to do so. Things to include in the supply scope and agreements generally include: the work and its scope; information at risk and classification; legal and regulatory requirements e.g. adherence to GDPR and or other applicable legislation; reporting and reviews; non disclosure; IPR; incident management; specific policies to comply with if important to the agreement; obligations on subcontractors; screening on staff etc.  A good standard contract will deal with these points but as above, sometimes it might not be required, ir way over the top for the type of supply, or it might not be possible to force a supplier to follow your idea of good practice.  Be pragmatic and risk centred in the approach. 

This control objective also ties in closely with Annex A.13.2.4 where confidentiality and non disclosure agreements are the main focus.

A.15.1.3 Information & Communication Technology Supply Chain

A good control here is building on the A.15.1.2 and is focused on the ICT suppliers who may need something in addition or instead of the standard approach. The organisation should again recognise its size compared to some of the very large providers that it will sometimes be working with (e.g. datacentres & hosting services, banks etc), therefore potentially limiting its ability to influence practices further into the supply chain. The organisation should consider carefully what risks there may be based upon the type of information and communication technology services that are being provided, for example, if the supplier is a provider of infrastructure critical services, or outsourced and specialist freelance developers or other technology and business service suppliers who have access to sensitive information.


More help on the ISO 27001 requirements and Annex A Controls can be found in the Virtual Coach

which complements our frameworks, tools and policy content.

What is the objective of Annex A.15.2 of ISO 27001:2013?

Annex A.15.2 is about supplier service development management. The objective in this Annex A control is to ensure that an agreed level of information security and service delivery is maintained in line with supplier agreements.

A.15.2.1 Monitoring & Review of Supplier Services

A good control describes how organisations should regularly monitor, review and audit their supplier service delivery. Conducting reviews and monitoring is best done based on the information at risk – as a one size approach will not fit all. The organisation should aim to conduct it’s reviews in line with the proposed segmentation of suppliers in order to therefore optimise their resources and make sure that they focus effort on monitoring & reviewing where it will have the most impact.

Evidence of this monitoring should be completed, thus allowing your auditor to be able to see that it has been completed, and that any necessary changes have been managed through a formal change control process.

A.15.2.2 Managing Changes to Supplier Services

A good control describes how any changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking into account the criticality of business information, the nature of the change, the supplier type effected, the systems and processes involved and a re-assessment of risks.Changes to suppliers services should also take into account the intimacy of the relationship and the organisations ability to influence or control change in the supplier.

How does help with Supplier Relationships? has made this control objective very easy for you by providing evidence that your relationships are being monitored and reviewed, through our easy-to-use private Accounts supplier area, joint projects or other shared workspaces – all of which provide a secure working space, which the auditor can also view with ease when required. has also made this control objective easier for your organisation by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood its responsibilities for information security through our Policy Packs, which have a simple ‘Mark as read’ feature on each different policy, allowing progress to be monitored remotely.


More help on the ISO 27001 requirements and Annex A Controls can be found in the Virtual Coach

which complements our frameworks, tools and policy content.

Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

Need a set of ISO 27001 policies for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001


Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

ISMS Online Rating: 5 out of 5
Share This