Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.”
Plain-language meaning
The organization must put the right security requirements into supplier contracts or agreements before the supplier receives access to information, systems, facilities, or services.
A.5.19 says supplier security risks must be managed. A.5.20 makes the agreement part explicit: the supplier must know, accept, and be bound by the security requirements that match the relationship.
Why this matters
Supplier personnel may need the same level of security discipline as internal staff, but the organization does not directly manage the supplier’s people, infrastructure, policies, or risk appetite.
Without agreement terms, security expectations become informal requests. Informal requests are weak when there is a breach, service failure, dispute, audit finding, subcontractor issue, or termination.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Start from supplier risk and relationship type
Do not use the same contract language for every supplier. Define requirements based on:
| Factor | What to consider |
|---|---|
| Information exposed | Classification, volume, sensitivity, legal duties |
| Access type | Physical, logical, remote, privileged, production, support |
| Service criticality | Business dependency, availability impact, recovery needs |
| Supplier role | Processor, support provider, cloud host, consultant, facilities provider |
| Location and jurisdiction | Legal, transfer, privacy, and enforcement issues |
| Subcontractors | Whether work may be delegated and under what rules |
| Assurance need | Certification, reports, audit rights, questionnaires |
The agreement should reflect the risk assessment, not generic procurement wording.
2. Define security requirements before access
Supplier access should not begin until required controls are agreed and implemented.
Typical agreement requirements include:
- confidentiality and non-disclosure;
- acceptable use;
- access control and identity requirements;
- MFA or privileged access requirements;
- information classification and handling;
- secure transfer methods;
- incident notification timeframes;
- logging and monitoring expectations;
- vulnerability and patch expectations;
- service availability and continuity requirements;
- audit, assurance, and right-to-review clauses;
- subcontractor restrictions and flow-down obligations;
- data return, deletion, or transfer at termination;
- liability, breach handling, and non-performance consequences.
3. Identify who is responsible for each control
Supplier agreements should not say “security will be maintained” without assigning responsibility.
Use a control responsibility matrix:
| Control area | Organization | Supplier | Shared |
|---|---|---|---|
| User approval | Yes | No | No |
| Account provisioning | Sometimes | Sometimes | Yes |
| Secure configuration | Sometimes | Sometimes | Yes |
| Incident notification | No | Yes | Yes |
| Access review | Yes | Sometimes | Yes |
| Data deletion at exit | No | Yes | Yes |
The point is not the exact split. The point is that both parties understand it.
4. Confirm authorized signatories
The agreement should be approved by people who have authority to bind each party. Security requirements can fail if agreed informally by operational staff without legal, procurement, supplier owner, or management approval.
5. Document deviations
If a supplier cannot meet a required security term, record:
- the deviation;
- risk impact;
- compensating controls;
- approval;
- review date;
- whether the Statement of Applicability or risk treatment plan is affected.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should sample supplier relationships and verify that security requirements are established, agreed, approved, and appropriate to the relationship.
Audit tests:
- compare supplier risk assessments to contract requirements;
- verify that access was not granted before required terms were in place;
- check whether supplier staff with access are subject to equivalent controls;
- review whether responsibilities are assigned between parties;
- verify signatory authority;
- check how deviations are approved and tracked;
- test whether termination and change clauses exist;
- confirm that security terms cover non-performance, incidents, liability, and disruption.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Supplier risk assessment | Requirements are risk-based |
| Contract or agreement | Requirements are formally agreed |
| Security schedule or addendum | Detailed controls are defined |
| Supplier responsibility matrix | Control ownership is clear |
| Access approval record | Access follows agreement readiness |
| Supplier security plan | Supplier understands required controls |
| Deviation record | Exceptions are risk-assessed and approved |
| Legal/procurement approval | Agreement is authorized |
| Termination clauses | Exit obligations are defined |
Strong evidence
- Agreement terms map directly to supplier risk and information exposure.
- Access is blocked until agreement requirements are approved.
- Security responsibilities are explicit.
- Subcontractor obligations flow down.
- Incident notification and termination requirements are clear.
- Deviations are documented, justified, approved, and reviewed.
Weak evidence
- Standard procurement contract with no security schedule.
- Security expectations sent by email but not agreed.
- Supplier access starts before contract completion.
- No evidence that signatories were authorized.
- Supplier staff have access but no equivalent security obligations.
- Exceptions exist but are not risk-assessed.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Generic supplier contract | Does not address actual security exposure |
| Access before agreement | Organization accepts unmanaged risk |
| No responsibility split | Control gaps appear between parties |
| No incident clause | Supplier delays or avoids notification |
| No subcontractor clause | Risk is pushed outside the contract boundary |
| No termination clause | Data return, deletion, and access removal become unclear |
| Security terms not reviewed by legal/procurement | Requirements may be unenforceable |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.20 is not just “have a contract”; the contract must include relevant security requirements.
- Requirements should depend on the supplier relationship and risk.
- Supplier personnel with access may need controls equivalent to internal personnel.
- Do not grant access before agreed controls are implemented.
- Certification can be useful evidence, but it does not replace relationship-specific requirements.
- Deviations from required supplier controls should be justified and documented.
Related controls and concepts
- A.5.19 Information Security in Supplier Relationships
- A.5.21 Managing Information Security in the ICT Supply Chain
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- Risk Assessment
- Statement of Applicability
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.18 Access Rights
- Supplier Security Register
- Supplier Security Risk Assessment
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.20 requires security requirements to be established and agreed with suppliers based on the supplier relationship. Practical implementation means risk-based contract clauses, clear control responsibilities, authorized approval, access only after requirements are in place, and documented deviations.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Supplier security
- Contracts
- Audit
Note Metadata
Aliases: A.5.20, Addressing Information Security Within Supplier Agreements
Source: 02 Annex A Organizational Controls/A.5.20 Addressing Information Security Within Supplier Agreements.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- A.5 Organizational Controls MOC
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- A.5.20 Audit Evidence Pack
- AQ-ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-008 - Supplier and Cloud Control Distinctions
- ISO 27002 Annex A Control Interpretation Map
- A.5.20 Audit Checklist
- Certificate Authority and Certificate Review
- Cloud Security Requirements and Exit Checklist
- ICT Supply Chain Risk Register
- Network Service Security Requirements Register
- Network Service SLA and Security Feature Review
- Outsourced Development Security Requirements Checklist
- Supplier Security Agreement Requirements Checklist
- Supplier Security Register
- Supplier Security Responsibility Matrix
- Supplier Security Risk Assessment
- Annex A Controls MOC