What Is the Purpose of ISO 27001:2022 Annex A 5.22?
Annex A control 5.22 aims to ensure that an agreed level of information security and service delivery is maintained. This is in accordance with supplier contracts regarding supplier service development.
The Services of Suppliers Are Monitored and Reviewed
In Annex A 5.22, organisations are described as regularly monitoring, reviewing and auditing their supplier service delivery processes. Conducting reviews and monitoring is best done in accordance with the information at risk since one size does not fit all situations.
By conducting its reviews in accordance with the proposed segmentation of suppliers, the organisation can optimise their resources and ensure that their efforts are concentrated on monitoring and reviewing where the most significant impact can be achieved.
As with Annex A 5.19, pragmatism is sometimes necessary – small organisations will not necessarily receive an audit, a human resource review, or dedicated service improvements by using AWS. To ensure that they remain suitable for your purpose, you might check (for example) their annually published SOC II reports and security certifications.
Monitoring should be documented based on your power, risks and value, so your auditor can confirm that it has been completed. This is because any necessary changes have been managed through a formal change control procedure.
Managing Supplier Service Changes
Suppliers must maintain and improve existing information security policies, procedures, and controls to manage any changes to the provision of services by suppliers. The process considers the criticality of business information, the nature of the change, the supplier types affected, the processes and systems involved, and a reassessment of risks.
In making changes to suppliers’ services, it is also important to consider the intimacy of the relationship. This is as well as the organisation’s ability to influence or control a change within the supplier.
Control 5.22 specifies how organisations should monitor, review, and manage changes to a supplier’s security practices and service delivery standards. It also assesses how they impact the organisation’s own security practices.
In managing relationships with their suppliers, an organisation should strive to maintain a baseline level of information security that complies with any agreements they have signed.
In accordance with ISO 27001:2022, Annex A 5.22 is a preventative control designed to minimise risk by helping the supplier maintain an “agreed level of information security and service delivery.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Annex A Control 5.22
A member of senior management who oversees an organisation’s commercial operations and maintains a direct relationship with the organisation’s suppliers should be responsible for Control 5.22.
ISO 27001:2022 Annex A 5.22 General Guidance
According to ISO 27001:2022 Annex A Control 5.22, 13 key areas should be considered when managing supplier relationships and how these factors affect their own information security measures.
An organisation must ensure that employees responsible for managing service-level agreements and supplier relationships possess the requisite skills and technical resources. This is to ensure that they are able to evaluate supplier performance adequately and that information security standard is not breached.
An organisation’s policies and procedures should be drafted by:
- Continuously monitor service levels in accordance with published service level agreements, and address any shortfalls as soon as they arise.
- The supplier must be monitored for any changes to their own operation, including (but not limited to): (1) Service enhancements (2) New applications, systems or software processes (3) Relevant and meaningful revisions to the internal governance documents of the supplier, and (4) any changes to incident management procedures or attempts to improve the level of information security.
- Any changes involving the service, including (but not limited to): a) Infrastructure changes b) Applications of emerging technologies c) Product updates and version upgrades d) Changes in the development environment e) Logistical and physical changes to supplier facilities, including new locations f) Changes to outsourcing partners or subcontractors g) Intentions to subcontract, where such a practice has not been practised previously.
- Ensure that service reports are delivered regularly, that data is analysed, and that review meetings are conducted in accordance with agreed service levels.
- Ensure that outsourcing partners and subcontractors are audited and address any areas of concern.
- Conduct a review of security incidents based on the standard and practices agreed upon by the supplier and in accordance with the incident management standards.
- Records should be maintained on all incidents of information security, tangible operational problems, fault logs, and general barriers to meeting the agreed-upon service delivery standards.
- Take proactive action in response to incidents relating to information security.
- Identify any vulnerabilities in information security and mitigate them to the fullest extent possible.
- Perform an analysis of any relevant information security factors associated with the supplier’s relationship with its suppliers and subcontractors.
- In the event of significant disruption on the supplier’s side, including a disaster recovery effort, ensure service delivery is delivered to acceptable levels.
- Provide a list of the key personnel in the supplier’s operation responsible for maintaining compliance and adhering to the terms of the contract.
- Make sure that a supplier maintains a baseline standard for information security regularly.
Supporting Annex A Controls
- ISO 27001:2022 Annex A 5.29
- ISO 27001:2022 Annex A 5.30
- ISO 27001:2022 Annex A 5.35
- ISO 27001:2022 Annex A 5.36
- ISO 27001:2022 Annex A 8.14
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
What Is the Benefit of Using ISMS.online to Manage Supplier Relationships?
This Annex A control objective has been made very easy by ISMS.online. This is because ISMS.online provides evidence that your relationships are carefully selected, well-managed, and monitored and reviewed. This is done in our easy-to-use Accounts relationships (e.g. supplier) area. Collaboration projects work spaces allow the auditor to easily view important supplier on boarding, joint initiatives, off boarding, etc.
In addition to assisting your organisation with this Annex A control objective, ISMS.online also provides you with the ability to provide evidence that the supplier has formally accepted the requirements and has understood its responsibilities for information security through our Policy Packs. As a result of their specific policies & controls, Policy Packs assure suppliers that their staff have read and committed to complying with the organisation’s policies & controls.
There may be a broader requirement to align with Annex A.5.8 Information security in project management, depending on the nature of the change (e.g. for more material changes).
Implementing ISO 27001 is easier with our step-by-step checklist, which guides you from defining your ISMS scope to identifying risks and implementing controls.
ISMS.online offers the following benefits:
- The platform allows you to create an ISMS compliant with ISO 27001 requirements.
- Users can complete tasks and submit evidence to demonstrate compliance with the standard.
- The process of delegating responsibilities and monitoring compliance progress is easy.
- As a result of the comprehensive risk assessment tool set, the process is expedited and time-saving.
- A dedicated team of consultants can assist you throughout the compliance process.
Get in touch with us today to schedule a demo.
