UnixTime

Research Note

ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements

The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or servi...

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.”

Plain-language meaning

The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or services.

A.5.19 says supplier security risks must be managed. A.5.20 makes the agreement part explicit: the supplier must know, accept, and be bound by the security requirements that match the relationship.

Why this matters

Supplier personnel may need the same level of security discipline as internal staff, but the organization does not directly manage the supplier’s people, infrastructure, policies, or risk appetite.

Without agreement terms, security expectations become informal requests. Informal requests are weak when there is a breach, service failure, dispute, audit finding, subcontractor issue, or termination.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Start from supplier risk and relationship type

Do not use the same contract language for every supplier. Define requirements based on:

Factor What to consider
Information exposed Classification, volume, sensitivity, legal duties
Access type Physical, logical, remote, privileged, production, support
Service criticality Business dependency, availability impact, recovery needs
Supplier role Processor, support provider, cloud host, consultant, facilities provider
Location and jurisdiction Legal, transfer, privacy, and enforcement issues
Subcontractors Whether work may be delegated and under what rules
Assurance need Certification, reports, audit rights, questionnaires

The agreement should reflect the risk assessment, not generic procurement wording.

2. Define security requirements before access

Supplier access should not begin until required controls are agreed and implemented.

Typical agreement requirements include:

  • confidentiality and non-disclosure;
  • acceptable use;
  • access control and identity requirements;
  • MFA or privileged access requirements;
  • information classification and handling;
  • secure transfer methods;
  • incident notification timeframes;
  • logging and monitoring expectations;
  • vulnerability and patch expectations;
  • service availability and continuity requirements;
  • audit, assurance, and right-to-review clauses;
  • subcontractor restrictions and flow-down obligations;
  • data return, deletion, or transfer at termination;
  • liability, breach handling, and non-performance consequences.

3. Identify who is responsible for each control

Supplier agreements should not say “security will be maintained” without assigning responsibility.

Use a control responsibility matrix:

Control area Organization Supplier Shared
User approval Yes No No
Account provisioning Sometimes Sometimes Yes
Secure configuration Sometimes Sometimes Yes
Incident notification No Yes Yes
Access review Yes Sometimes Yes
Data deletion at exit No Yes Yes

The point is not the exact split. The point is that both parties understand it.

4. Confirm authorized signatories

The agreement should be approved by people who have authority to bind each party. Security requirements can fail if agreed informally by operational staff without legal, procurement, supplier owner, or management approval.

5. Document deviations

If a supplier cannot meet a required security term, record:

  • the deviation;
  • risk impact;
  • compensating controls;
  • approval;
  • review date;
  • whether the Statement of Applicability or risk treatment plan is affected.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should sample supplier relationships and verify that security requirements are established, agreed, approved, and appropriate to the relationship.

Audit tests:

  • compare supplier risk assessments to contract requirements;
  • verify that access was not granted before required terms were in place;
  • check whether supplier staff with access are subject to equivalent controls;
  • review whether responsibilities are assigned between parties;
  • verify signatory authority;
  • check how deviations are approved and tracked;
  • test whether termination and change clauses exist;
  • confirm that security terms cover non-performance, incidents, liability, and disruption.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
Supplier risk assessment Requirements are risk-based
Contract or agreement Requirements are formally agreed
Security schedule or addendum Detailed controls are defined
Supplier responsibility matrix Control ownership is clear
Access approval record Access follows agreement readiness
Supplier security plan Supplier understands required controls
Deviation record Exceptions are risk-assessed and approved
Legal/procurement approval Agreement is authorized
Termination clauses Exit obligations are defined

Strong evidence

  • Agreement terms map directly to supplier risk and information exposure.
  • Access is blocked until agreement requirements are approved.
  • Security responsibilities are explicit.
  • Subcontractor obligations flow down.
  • Incident notification and termination requirements are clear.
  • Deviations are documented, justified, approved, and reviewed.

Weak evidence

  • Standard procurement contract with no security schedule.
  • Security expectations sent by email but not agreed.
  • Supplier access starts before contract completion.
  • No evidence that signatories were authorized.
  • Supplier staff have access but no equivalent security obligations.
  • Exceptions exist but are not risk-assessed.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Generic supplier contract Does not address actual security exposure
Access before agreement Organization accepts unmanaged risk
No responsibility split Control gaps appear between parties
No incident clause Supplier delays or avoids notification
No subcontractor clause Risk is pushed outside the contract boundary
No termination clause Data return, deletion, and access removal become unclear
Security terms not reviewed by legal/procurement Requirements may be unenforceable

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.20 is not just “have a contract”; the contract must include relevant security requirements.
  • Requirements should depend on the supplier relationship and risk.
  • Supplier personnel with access may need controls equivalent to internal personnel.
  • Do not grant access before agreed controls are implemented.
  • Certification can be useful evidence, but it does not replace relationship-specific requirements.
  • Deviations from required supplier controls should be justified and documented.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.20 requires security requirements to be established and agreed with suppliers based on the supplier relationship. Practical implementation means risk-based contract clauses, clear control responsibilities, authorized approval, access only after requirements are in place, and documented deviations.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Supplier security
  • Contracts
  • Audit

Note Metadata

Aliases: A.5.20, Addressing Information Security Within Supplier Agreements

Source: 02 Annex A Organizational Controls/A.5.20 Addressing Information Security Within Supplier Agreements.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02
03

Audit checks

Audit questions, checklists, or review material connected to the control.

04

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.