Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.”
Plain-language meaning
The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.
This is about inherited risk. A cloud provider, software vendor, managed service provider, hardware vendor, support franchise, hosting provider, or SaaS platform may rely on other parties. Those upstream or downstream parties can still affect the organization’s confidentiality, integrity, availability, compliance, and resilience.
Why this matters
The ICT supply chain is rarely a simple one-to-one relationship.
Examples:
- a SaaS provider uses a cloud hosting provider;
- a software vendor outsources support;
- a managed service provider uses subcontracted engineers;
- a hardware vendor depends on component suppliers;
- a disposal supplier uses another firm for final destruction;
- a data center maintenance supplier uses specialist subcontractors.
Security failures can enter through any of these dependencies. If the organization only reviews the direct supplier, it may miss the real source of risk.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Identify ICT supply-chain dependencies
For important ICT products and services, identify:
- direct supplier;
- critical subcontractors;
- cloud or hosting dependencies;
- support and maintenance parties;
- software components or managed platforms;
- data storage and processing locations;
- parties with administrative or support access;
- third parties involved in disposal, repair, monitoring, or maintenance.
The depth of investigation should match the risk. A critical cloud platform deserves deeper review than a low-risk commodity tool.
2. Include inherited risk in supplier assessment
Supplier assessment should ask:
| Question | Why it matters |
|---|---|
| Who else supports the service? | Identifies hidden dependencies |
| Who can access our data or systems? | Identifies confidentiality and integrity risk |
| Where is data stored or processed? | Identifies jurisdiction and transfer risk |
| How are subcontractors selected? | Identifies supplier governance maturity |
| How are supplier changes approved? | Identifies uncontrolled dependency changes |
| What assurance exists for critical dependencies? | Supports risk-based confidence |
3. Use agreements to control the supplier network
The organization usually cannot contract with every party in the supplier’s supply chain. It should manage inherited risk through its direct supplier agreement.
Useful contract requirements include:
- disclosure of critical subcontractors;
- approval before material subcontractor changes;
- flow-down of security obligations;
- incident notification across the supply chain;
- restrictions on data location and transfer;
- secure development and maintenance requirements;
- vulnerability notification;
- right to review assurance evidence;
- exit support and continuity commitments.
4. Watch supplier changes
ICT supply-chain risk changes when the supplier changes:
- hosting provider;
- subcontractor;
- support model;
- data location;
- ownership;
- software component;
- remote access method;
- operational process.
These changes should trigger risk review and, where needed, contract or control updates.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that ICT supplier risk assessment includes supply-chain dependencies, not only the direct supplier.
Audit tests:
- sample critical ICT suppliers;
- review whether supply-chain dependencies are recorded;
- check whether supplier agreements address subcontractors and flow-down controls;
- verify risk assessments consider indirect suppliers;
- check how supplier changes are detected and reviewed;
- review assurance evidence for high-risk ICT services;
- confirm controls are proportionate to the service impact.
The auditor should challenge a supplier review that says “vendor is approved” without addressing who the vendor depends on for service delivery.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| ICT supply-chain risk register | Dependencies are identified |
| Supplier risk assessment | Inherited risk is assessed |
| Supplier architecture/service description | Shows how the service is delivered |
| Subcontractor disclosure | Identifies delegated service parties |
| Agreement clauses | Controls flow down to relevant parties |
| Assurance reports/certifications | Supports supplier control claims |
| Change notifications | Shows supplier changes are monitored |
| Incident reports | Shows supply-chain events are escalated |
Strong evidence
- Critical ICT suppliers have dependency maps or recorded supply-chain data.
- Agreements require notification of material subcontractor or platform changes.
- Risk assessment includes hosting, support, subcontractor, and data location risks.
- High-risk supplier assurance is reviewed periodically.
- Supplier changes trigger risk review.
Weak evidence
- Supplier review only covers the direct vendor name.
- No record of subcontractors or hosting dependencies.
- Supplier changes are discovered informally.
- Contracts do not mention subcontractors or flow-down requirements.
- ICT supply-chain risk is treated as a procurement issue only.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| No visibility beyond direct supplier | Inherited risks remain hidden |
| No subcontractor change notification | Risk can change without approval |
| No data location review | Legal and confidentiality risks may be missed |
| No flow-down obligations | Supplier’s supplier may not follow required controls |
| No criticality tiering | Low-risk and high-risk suppliers get the same shallow review |
| No assurance review | Supplier claims are not validated |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.21 is ICT-specific supply-chain risk, not general supplier management.
- The concern is not only direct suppliers; indirect suppliers can affect security.
- The organization may manage indirect risk through the direct supplier agreement.
- The depth of review should be proportional to risk and criticality.
- Supplier change management is central because the supply chain changes over time.
Related controls and concepts
- A.5.19 Information Security in Supplier Relationships
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- Risk Assessment
- Statement of Applicability
- A.5.8 Information Security in Project Management
- A.5.14 Information Transfer
- Supplier Security Register
- Supplier Security Risk Assessment
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.21 requires the organization to manage ICT supply-chain information security risk, including risks inherited through subcontractors, cloud providers, hosting platforms, support parties, components, and other dependencies. The practical control is risk-based visibility, agreement clauses, change notification, assurance review, and ongoing reassessment.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Supplier security
- Ict supply chain
- Audit
Note Metadata
Aliases: A.5.21, Managing Information Security in the ICT Supply Chain
Source: 02 Annex A Organizational Controls/A.5.21 Managing Information Security in the ICT Supply Chain.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.8 - Information Security in Project Management
- A.5 Organizational Controls MOC
- A.5.21 Audit Evidence Pack
- AQ-ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- ISO 27001 A.8.30 - Outsourced Development
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-008 - Supplier and Cloud Control Distinctions
- ISO 27002 Annex A Control Interpretation Map
- A.5.21 Audit Checklist
- ICT Supply Chain Risk Register
- Supplier Security Agreement Requirements Checklist
- Supplier Security Register
- Supplier Security Risk Assessment
- Supplier Service Review and Change Log
- Annex A Controls MOC