This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.20 Addressing information security within supplier agreements.
ISO 27001: 2022 Control Description
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Purpose
To maintain an agreed level of information security in supplier relationships.
Guidance on implementation
Supplier agreements should be established and documented to ensure there is a clear understanding between the organisation and the supplier regarding both parties’ obligations to fulfil relevant information security requirements.
The following terms can be considered for inclusion in the agreements to satisfy the identified information security requirements:
a) A description of the information to be provided or accessed, and the methods for providing or accessing the information;
b) Classification of information according to the organisation’s classification scheme
c) Mapping between the organisation’s classification scheme and the supplier’s classification scheme;
d) Legal, statutory, regulatory, and contractual requirements, including data protection, handling of personally identifiable information (PII), intellectual property rights, and copyright, and a description of how these will be ensured;
e) The obligation of each contractual party to implement an agreed set of controls, including access control, performance review, monitoring, reporting, and auditing, and the supplier’s obligations to comply with the organisation’s information security requirements;
f) Rules for the acceptable use of information and other associated assets, including guidelines on unacceptable use if necessary;
g) Procedures or conditions for authorisation and the removal of authorisation for the use of the organisation’s information and other associated assets by supplier personnel (e.g. an explicit list of supplier personnel authorised to use the organisation’s information and other associated assets);
h) Information security requirements regarding the supplier’s ICT infrastructure, including minimum information security requirements for each type of information and type of access, to serve as the basis for individual supplier agreements based on the organisation’s business needs and risk criteria;
i) Indemnities and remediation for failure by the supplier to meet requirements;
j) Incident management requirements and procedures (especially notification and collaboration during incident remediation);
k) Training and awareness requirements for specific procedures and information security requirements (e.g. for incident response, authorisation procedures);
l) Relevant provisions for subcontracting, including the controls that need to be implemented, such as agreements on the use of sub-suppliers (e.g. requiring that they are under the same obligations as the supplier, requiring a list of sub-suppliers, and notification before any changes);
m) Relevant contacts, including a contact person for information security issues;
n) Any screening requirements, where legally permissible, for the supplier’s personnel, including responsibilities for conducting the screening and notification procedures if screening has not been completed or if the results raise concerns;
o) The evidence and assurance mechanisms of third-party attestations for relevant information security requirements related to the supplier's processes, and an independent report on the effectiveness of controls;
p) The right to audit the supplier's processes and controls related to the agreement;
q) The supplier’s obligation to periodically deliver a report on the effectiveness of controls and agreement on the timely correction of relevant issues raised in the report;
r) Defect resolution and conflict resolution processes;
s) Provision of backup aligned with the organisation’s needs (in terms of frequency, type, and storage location);
t) Ensuring the availability of an alternative facility (i.e. disaster recovery site) not subject to the same threats as the primary facility, and considerations for fallback controls (alternative controls) if primary controls fail;
u) Having a change management process that ensures advance notification to the organisation and the option for the organisation to reject changes;
v) Physical security controls commensurate with the information classification;
w) Information transfer controls to protect the information during physical transfer or logical transmission;
x) Termination clauses upon conclusion of the agreement, including records management, return of assets, secure disposal of information and other associated assets, and any ongoing confidentiality obligations;
y) Provision of a method for securely destroying the organisation’s information stored by the supplier once it is no longer required;
z) Ensuring, at the end of the contract, handover support to another supplier or to the organisation itself.
The organisation should establish and maintain a register of agreements with external parties (e.g. contracts, memoranda of understanding, information-sharing agreements) to keep track of where their information is going. The organisation should also regularly review, validate, and update these agreements to ensure they are still necessary and fit for purpose with relevant information security clauses.
Agreements can vary considerably between different organisations and among different types of suppliers.