UnixTime

Research Note

ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain

The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.

On this page

Requirement

Requirement lens

Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.

“Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.”

Plain-language meaning

The organization must manage security risks that come through ICT suppliers and the suppliers behind those suppliers.

This is about inherited risk. A cloud provider, software vendor, managed service provider, hardware vendor, support franchise, hosting provider, or SaaS platform may rely on other parties. Those upstream or downstream parties can still affect the organization’s confidentiality, integrity, availability, compliance, and resilience.

Why this matters

The ICT supply chain is rarely a simple one-to-one relationship.

Examples:

  • a SaaS provider uses a cloud hosting provider;
  • a software vendor outsources support;
  • a managed service provider uses subcontracted engineers;
  • a hardware vendor depends on component suppliers;
  • a disposal supplier uses another firm for final destruction;
  • a data center maintenance supplier uses specialist subcontractors.

Security failures can enter through any of these dependencies. If the organization only reviews the direct supplier, it may miss the real source of risk.

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

1. Identify ICT supply-chain dependencies

For important ICT products and services, identify:

  • direct supplier;
  • critical subcontractors;
  • cloud or hosting dependencies;
  • support and maintenance parties;
  • software components or managed platforms;
  • data storage and processing locations;
  • parties with administrative or support access;
  • third parties involved in disposal, repair, monitoring, or maintenance.

The depth of investigation should match the risk. A critical cloud platform deserves deeper review than a low-risk commodity tool.

2. Include inherited risk in supplier assessment

Supplier assessment should ask:

Question Why it matters
Who else supports the service? Identifies hidden dependencies
Who can access our data or systems? Identifies confidentiality and integrity risk
Where is data stored or processed? Identifies jurisdiction and transfer risk
How are subcontractors selected? Identifies supplier governance maturity
How are supplier changes approved? Identifies uncontrolled dependency changes
What assurance exists for critical dependencies? Supports risk-based confidence

3. Use agreements to control the supplier network

The organization usually cannot contract with every party in the supplier’s supply chain. It should manage inherited risk through its direct supplier agreement.

Useful contract requirements include:

  • disclosure of critical subcontractors;
  • approval before material subcontractor changes;
  • flow-down of security obligations;
  • incident notification across the supply chain;
  • restrictions on data location and transfer;
  • secure development and maintenance requirements;
  • vulnerability notification;
  • right to review assurance evidence;
  • exit support and continuity commitments.

4. Watch supplier changes

ICT supply-chain risk changes when the supplier changes:

  • hosting provider;
  • subcontractor;
  • support model;
  • data location;
  • ownership;
  • software component;
  • remote access method;
  • operational process.

These changes should trigger risk review and, where needed, contract or control updates.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors should verify that ICT supplier risk assessment includes supply-chain dependencies, not only the direct supplier.

Audit tests:

  • sample critical ICT suppliers;
  • review whether supply-chain dependencies are recorded;
  • check whether supplier agreements address subcontractors and flow-down controls;
  • verify risk assessments consider indirect suppliers;
  • check how supplier changes are detected and reviewed;
  • review assurance evidence for high-risk ICT services;
  • confirm controls are proportionate to the service impact.

The auditor should challenge a supplier review that says “vendor is approved” without addressing who the vendor depends on for service delivery.

Evidence examples

Evidence quality

Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.

Evidence What it proves
ICT supply-chain risk register Dependencies are identified
Supplier risk assessment Inherited risk is assessed
Supplier architecture/service description Shows how the service is delivered
Subcontractor disclosure Identifies delegated service parties
Agreement clauses Controls flow down to relevant parties
Assurance reports/certifications Supports supplier control claims
Change notifications Shows supplier changes are monitored
Incident reports Shows supply-chain events are escalated

Strong evidence

  • Critical ICT suppliers have dependency maps or recorded supply-chain data.
  • Agreements require notification of material subcontractor or platform changes.
  • Risk assessment includes hosting, support, subcontractor, and data location risks.
  • High-risk supplier assurance is reviewed periodically.
  • Supplier changes trigger risk review.

Weak evidence

  • Supplier review only covers the direct vendor name.
  • No record of subcontractors or hosting dependencies.
  • Supplier changes are discovered informally.
  • Contracts do not mention subcontractors or flow-down requirements.
  • ICT supply-chain risk is treated as a procurement issue only.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
No visibility beyond direct supplier Inherited risks remain hidden
No subcontractor change notification Risk can change without approval
No data location review Legal and confidentiality risks may be missed
No flow-down obligations Supplier’s supplier may not follow required controls
No criticality tiering Low-risk and high-risk suppliers get the same shallow review
No assurance review Supplier claims are not validated

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • A.5.21 is ICT-specific supply-chain risk, not general supplier management.
  • The concern is not only direct suppliers; indirect suppliers can affect security.
  • The organization may manage indirect risk through the direct supplier agreement.
  • The depth of review should be proportional to risk and criticality.
  • Supplier change management is central because the supply chain changes over time.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

A.5.21 requires the organization to manage ICT supply-chain information security risk, including risks inherited through subcontractors, cloud providers, hosting platforms, support parties, components, and other dependencies. The practical control is risk-based visibility, agreement clauses, change notification, assurance review, and ongoing reassessment.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Organizational controls
  • Supplier security
  • Ict supply chain
  • Audit

Note Metadata

Aliases: A.5.21, Managing Information Security in the ICT Supply Chain

Source: 02 Annex A Organizational Controls/A.5.21 Managing Information Security in the ICT Supply Chain.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.