When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.
Checklist
- Critical ICT suppliers are identified.
- ICT supply-chain dependencies are recorded for high-risk services.
- Subcontractors, hosting, support, and data location risks are considered.
- Supplier agreements include relevant supply-chain security requirements.
- Flow-down obligations are defined where relevant.
- Material subcontractor or platform changes require notification.
- Supplier assurance evidence is reviewed for high-risk services.
- Supply-chain changes trigger risk reassessment.
- Incidents involving supply-chain dependencies are escalated.
- Review depth is proportionate to supplier criticality.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 21
Note Metadata
Aliases: A.5.21 Checklist
Source: 90 Templates/A.5.21 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- A.5.21 Audit Evidence Pack
- Audit Evidence MOC
- AQ-ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- ICT Supply Chain Risk Register
- Supplier Security Agreement Requirements Checklist
- Audit Evidence Index
- Templates MOC