What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information sharing begins.
Evidence to request
| Evidence | Purpose |
|---|---|
| Supplier risk assessment | Shows agreement requirements are risk-based |
| Supplier contract or agreement | Shows requirements are formally agreed |
| Security schedule/addendum | Shows detailed controls are included |
| Supplier responsibility matrix | Shows control ownership between parties |
| Access approval records | Shows access follows agreement readiness |
| Supplier security plan | Shows supplier understands requirements |
| Deviation/exception records | Shows unmet requirements are managed |
| Approval/signatory evidence | Shows agreement is authorized |
| Termination and exit clauses | Shows end-of-service obligations are defined |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Contract terms map to supplier access, information exposure, and service criticality.
- Security requirements are agreed before supplier access begins.
- Responsibilities are explicitly assigned.
- Subcontractor, incident, audit, termination, and data handling terms are included where relevant.
- Deviations are risk-assessed, approved, and reviewed.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Generic contract with no security clauses.
- Supplier access granted before agreement completion.
- Security requirements exist only in email.
- No clear responsibility split.
- No evidence of authorized approval.
- Exceptions are accepted informally.
Sample interview questions
- How do you decide which security clauses apply to each supplier?
- Who approves supplier security requirements?
- What prevents supplier access before requirements are agreed?
- How are deviations from supplier security requirements approved?
- How are subcontractor, incident, termination, and audit requirements handled?
Common nonconformities
- Security requirements not included in supplier agreements.
- Agreement does not match supplier risk.
- Access granted before security terms are in place.
- Supplier responsibilities unclear.
- No documented approval for deviations.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 20
Note Metadata
Aliases: A.5.20 Evidence
Source: 04 Audit Evidence Packs/A.5.20 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- Audit Evidence MOC
- AQ-ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- A.5 Organizational Controls Audit Guide
- A.5.20 Audit Checklist
- Supplier Security Agreement Requirements Checklist
- Supplier Security Responsibility Matrix
- Audit Evidence Index