Buy the 27001 Toolkit

ISO 27001 Control 5.20: Addressing Information Security Within Supplier Agreements

ISO 27001 Control 5.20: Addressing Information Security Within Supplier Agreements

Establishing Information Security in Supplier Agreements: A Comprehensive Guide

Supplier relationships form a vital component of modern organisational operations, yet they can expose sensitive data to security vulnerabilities. ISO 27001 control 5.20 helps by crafting robust supplier agreements with clear and comprehensive information security requirements, organisations can safeguard their data while fostering trust with their suppliers.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose of Information Security in Supplier Agreements

The inclusion of information security provisions in supplier agreements via ISO 27001 Control 5.20 serves to:

  • Maintain consistent and effective information security across all supplier engagements.
  • Clearly outline the responsibilities and obligations of both the organisation and its suppliers.
  • Address and mitigate risks to information security posed by supplier relationships.

Key Components of Supplier Agreements

To ensure robust protection, supplier agreements should incorporate the following elements:

1. Information Handling

  • Clearly define the type of information to be accessed or provided and the methods for secure transfer.
  • Apply the organisation’s classification scheme to information and ensure alignment with the supplier’s scheme when applicable.

2. Legal and Regulatory Compliance

  • Specify compliance with data protection laws, intellectual property regulations, and personally identifiable information (PII) handling requirements.
  • Include provisions to meet all relevant legal, statutory, and contractual obligations.

3. Supplier Obligations

  • Define controls for access, monitoring, reporting, and auditing of information and systems.
  • Establish rules for acceptable and unacceptable uses of organisational assets and data.
  • Outline minimum security requirements for the supplier’s ICT infrastructure.

4. Incident Management

  • Detail procedures for reporting and managing security incidents.
  • Include collaboration protocols for incident investigation and remediation efforts.

5. Training and Awareness

  • Specify training requirements for supplier personnel, particularly in incident response and adherence to security protocols.

Additional Provisions for Comprehensive Security

1. Subcontracting

  • Specify conditions for the use of subcontractors, requiring equivalent security standards.
  • Maintain a current list of subcontractors and mandate advance notification of any changes.

2. Screening and Assurance

  • Establish screening requirements for supplier personnel, where legally permissible.
  • Require suppliers to provide independent attestations or periodic reports on the effectiveness of their security controls.

3. Audits and Reporting

  • Reserve the right to audit supplier processes and controls.
  • Mandate regular reporting on security measures and require timely resolution of identified issues.

4. Continuity and Backup

  • Define requirements for backups, including frequency, storage location, and retention periods.
  • Ensure access to disaster recovery facilities and fallback controls to support operational continuity.

5. Termination and Transition

  • Include clauses for the secure return or disposal of organisational assets and data upon contract termination.
  • Outline procedures for seamless handovers to new suppliers or back to the organisation.

Managing and Maintaining Supplier Agreements

To ensure the effectiveness of supplier agreements, ISO 27001 control 5.20 requires rganisations to:

  1. Maintain a Register: Document all agreements, including contracts, memorandums of understanding, and information-sharing protocols.
  2. Conduct Regular Reviews: Periodically review and update agreements to reflect current security needs and regulatory changes.
  3. Validate Compliance: Ensure agreements continue to address all relevant information security risks through ongoing validation.

FAQs

What is the purpose of ISO 27001 Control 5.20: Addressing Information Security Within Supplier Agreements?

This control ensures that information security requirements are clearly defined and agreed upon within supplier contracts and agreements. The goal is to formalise expectations and obligations, reducing the risk of misunderstandings or gaps in supplier performance.

What types of information security clauses should be included in supplier agreements under control 5.20?

Contracts should cover, where applicable:
Data protection obligations, including confidentiality and data handling rules
– Access control requirements (e.g. least privilege, authentication standards)
– Incident reporting and response expectations
Audit and compliance rights
– Subcontractor controls and approval requirements
– Right to terminate for security breaches

Which suppliers should have these clauses in their agreements?

Any supplier that handles, stores, processes, or has access to confidential, sensitive, or personal information, or that supports critical systems, should be covered. This includes cloud providers, SaaS vendors, IT support firms, and outsourced developers.

How can organisations ensure security clauses are effective and enforceable?

To strengthen enforceability:
– Involve legal and security teams during contract negotiation
– Use clear, unambiguous language
– Reference recognised standards (e.g. ISO 27001, NIST)
– Set measurable service levels for security performance
– Include a process for ongoing review and updates to agreements

Who is responsible for including and reviewing security terms in supplier contracts?

Responsibility typically sits with procurement and legal teams, in collaboration with information security or risk management. A cross-functional approach ensures that security requirements are correctly scoped, relevant to the service, and aligned with organisational policies.

Conclusion

ISO 27001 control 5.20 and supplier agreements play a pivotal role in securing organisational assets and data. By establishing clear, comprehensive security requirements and maintaining regular oversight, organisations can effectively mitigate risks, foster trust, and enhance resilience.

Regular reviews and proactive management ensure these agreements remain aligned with evolving security requirements, bolstering the organisation’s overall security posture.

For further guidance, consult the ISO/IEC 27036 series for supplier agreements and the ISO/IEC 19086 series for cloud service agreements.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG