What Is the Purpose of ISO 27001:2022 Annex A 5.21?
In Annex A Control 5.21, organisations must implement robust processes and procedures before supplying any products or services to manage information security risks.
Control 5.21 in Annex A is a preventative control that maintains the risk within the ICT supply chain by establishing an “agreed level of security” between the parties.
Annex A 5.21 of ISO 27001 is aimed at ICT suppliers who may need something in addition to or instead of the standard approach. Although ISO 27001 recommends numerous areas for implementation, pragmatism is also required. Considering the organisation’s size compared to some of the very large companies it will occasionally be working with (e.g. data centres, hosting services, banks, etc.), it may need to have the ability to influence practices further down the supply chain.
Depending on the information and communication technology services being provided, the organisation should carefully assess the risks that may arise. In the case of an infrastructure-critical service provider, for example, it is important to ensure greater protection than if the supplier only has access to publicly available information (e.g. source code for the flagship software service) if the supplier provides infrastructure-critical services.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Annex A Control 5.21
In Annex A Control 5.21, the focus is on the provision of information and communication technology services by a supplier or group of suppliers.
Therefore, the person responsible for acquiring, managing, and renewing ICT supplier relationships across all business functions, such as the Chief Technical Officer or Head of Information Technology, should have ownership of this process.
ISO 27001:2022 Annex A 5.21 – General Guidelines
The ISO 27001 standard specifies 13 ICT-related guidance points that should be considered alongside any other Annex A controls that govern an organisation’s relationship with its suppliers.
Over the past decade, cross-platform on-premise and cloud services have become increasingly popular. ISO 27001:2022 Annex A Control 5.21 deals with the supply of hardware and software-related components and services (both on-premise and cloud-based) but rarely differentiate between the two.
Several Annex A controls address the relationship between the supplier and the organisation and the supplier’s obligations when subcontracting parts of the supply chain to third parties.
- Organisations should draft a comprehensive set of information security standards tailored to their specific needs to set clear expectations regarding how suppliers should conduct themselves in providing ICT products and services.
- ICT suppliers are responsible for ensuring that contractors and their personnel are fully conversant with the organisation’s unique information security standards. This is true if they subcontract any element of the supply chain.
- The supplier must communicate the organisation’s security requirements to any vendors or suppliers they use when the need arises to acquire components (physical or virtual) from third parties.
- An organisation should request information from suppliers regarding the software components’ nature and function.
- The organisation should identify and operate any product or service provided in a manner that does not compromise information security.
- Risk levels should not be taken for granted by organisations. Instead, organisations should draft procedures that ensure that any products or services delivered by suppliers are secure and comply with industry standards. Several methods may be employed to ensure compliance, including certification checks, internal testing, and supporting documentation.
- As part of receiving a product or service, organisations should identify and record any elements deemed essential to maintaining core functionality – particularly if those components were derived from subcontractors or outsourced agreements.
- Suppliers should have concrete assurances that “critical components” are tracked throughout the ICT supply chain from creation to delivery as part of an audit log.
- Organisations should seek categorical assurance before delivering ICT products and services. This is to ensure that they operate within the scope and do not contain any additional features that may pose a collateral security risk.
- Component specifications are crucial to ensure that an organisation understands the hardware and software components it is introducing to its network. Organisations should require stipulations confirming that components are legitimate upon delivery, and suppliers should consider anti-tampering measures throughout the development life cycle.
- It is critical to obtain assurances regarding the compliance of ICT products with industry-standard and sector-specific security requirements according to the specific product requirements. It is common for companies to achieve this by obtaining a minimum level of formal security certification or adhering to a set of internationally recognised information standards (for example, the Common Criteria Recognition Arrangement).
- Sharing information and data regarding mutual supply chain operations requires organisations to ensure that suppliers know their obligations. In this regard, organisations should acknowledge potential conflicts or problems between the parties. They should also know how to resolve them at the beginning of the process. Age of the process.
- The organisation must develop procedures to manage risk when operating with unsupported, unsupported, or legacy components, wherever they are located. In these situations, the organisation should be able to adapt and identify alternatives accordingly.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Annex A 5.21 Supplementary Guidance
Per Annex A Control 5.21, ICT supply chain governance should be considered in collaboration. It is intended to complement existing supply chain management procedures and to provide context for ICT-specific products and services.
The ISO 27001:2022 standard acknowledges that quality control within the ICT sector does not include granular inspection of a supplier’s compliance procedures, particularly regarding software components.
It is therefore recommended that organisations identify supplier-specific checks that are used to verify that the supplier is a “reputable source” and that they draft agreements that state in detail the supplier’s responsibilities for information security when fulfilling a contract, order or providing a service.
What Are the Changes From ISO 27001:2013?
ISO 27001:2022 Annex A Control 5.21 replaces ISO 27001:2013 Annex A Control 15.1.3 (Supply chain for information and communication technology).
In addition to adhering to the same general guidance rules as ISO 27001:2013 Annex A 15.1.3, ISO 27001:2022 Annex A 5.21 places a great deal of emphasis on the supplier’s obligation to provide and verify component-related information at the point of supply, including:
- Suppliers of information technology components.
- Provide an overview of a product’s security features and how to use it from a security perspective.
- Assurances regarding the level of security required.
According to ISO 27001:2022 Annex A 5.21, the organisation is also required to create additional component-specific information when introducing products and services, such as:
- Identifying and documenting key components of a product or service that contribute to its core functionality.
- Assuring the authenticity and integrity of components.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Is the Benefit of ISMS.online When It Comes to Supplier Relationships?
This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed.
This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view key supplier on boarding, joint initiatives, off boarding, etc.
Additionally, ISMS.online has made it easier for your organisation to achieve this Annex A control objective by enabling you to provide evidence that the supplier has formally committed to complying with the requirements and has understood the supplier’s responsibilities regarding information security with our Policy Packs.
In addition to the broader agreements between a customer and supplier, Policy Packs are ideal for organisations with specific policies & Annex A controls they wish supplier staff to adhere to, ensuring that they have read their policies and committed to following them.
The Cloud-Based Platform We Offer Additionally Provides the Following Features
- A document management system that is easy to use and can be customised.
- You will have access to a library of polished, pre-written documentation templates.
- The process for conducting internal audits has been simplified.
- A method of communicating with management and stakeholders that is efficient.
- A workflow module is provided to facilitate the implementation process.
To schedule a demo, don’t hesitate to get in touch with us today.
