When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.
Checklist
- Supplier risk assessment exists.
- Supplier agreement or contract exists.
- Security requirements match supplier access, information exposure, and service criticality.
- Agreement includes confidentiality and information handling requirements.
- Agreement includes access control and authentication requirements where relevant.
- Agreement includes incident notification requirements.
- Agreement includes subcontractor and flow-down requirements where relevant.
- Agreement includes termination, return, deletion, or exit requirements.
- Control responsibilities between parties are clear.
- Agreement is approved by authorized representatives.
- Supplier access did not begin before required controls were agreed.
- Deviations are documented, justified, approved, and reviewed.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 20
Note Metadata
Aliases: A.5.20 Checklist
Source: 90 Templates/A.5.20 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- A.5.20 Audit Evidence Pack
- Audit Evidence MOC
- AQ-ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- Supplier Security Agreement Requirements Checklist
- Supplier Security Responsibility Matrix
- Audit Evidence Index
- Templates MOC