This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.22 Monitoring, review and change management of supplier services.
ISO 27001: 2022 Control Description
The organisation shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
Purpose
To maintain an agreed level of information security and service delivery in line with supplier agreements.
Guidance on implementation
Monitoring, reviewing, and managing changes in supplier services should ensure that the information security terms and conditions of the agreements are adhered to, information security incidents and problems are properly managed, and changes in supplier services or business status do not negatively impact service delivery.
This process should manage the relationship between the organisation and the supplier by:
a) Monitoring service performance levels to verify compliance with the agreements;
b) Monitoring changes made by suppliers, including:
- Enhancements to the current services offered;
- Development of any new applications and systems;
- Modifications or updates to the supplier’s policies and procedures;
- New or changed controls to resolve information security incidents and improve information security;
c) Monitoring changes in supplier services, including:
- Changes and enhancements to networks;
- Use of new technologies;
- Adoption of new products or newer versions or releases;
- New development tools and environments;
- Changes to the physical location of service facilities;
- Changes in sub-suppliers;
- Sub-contracting to another supplier;
d) Reviewing service reports produced by the supplier and arranging regular progress meetings as required by the agreements;
e) Conducting audits of suppliers and sub-suppliers, alongside the review of independent auditor’s reports, if available, and following up on any issues identified;
f) Providing information about information security incidents and reviewing this information as required by the agreements and any supporting guidelines and procedures;
g) Reviewing supplier audit trails and records of information security events, operational problems, failures, fault tracing, and disruptions related to the service delivered;
h) Responding to and managing any identified information security events or incidents;
i) Identifying and managing information security vulnerabilities;
j) Reviewing the information security aspects of the supplier’s relationships with their own suppliers;
k) Ensuring that the supplier maintains sufficient service capability, along with workable plans to ensure that agreed service continuity levels are maintained following major service failures or disasters;
l) Ensuring that suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements;
m) Regularly evaluating whether suppliers maintain adequate levels of information security.
The responsibility for managing supplier relationships should be assigned to a designated individual or team.
Sufficient technical skills and resources should be provided to ensure that the requirements of the agreement, particularly the information security requirements, are being met.
Appropriate actions should be taken when deficiencies in service delivery are observed.