Supply chain attacks have become one of the most significant threats to organisational security.
You don’t have to look far for examples;
The SolarWinds compromise affected thousands of organisations through a single trusted software supplier. The MOVEit breach exposed data at hundreds of companies via a file transfer tool that many had not even classified as a critical system. In both cases, the attacking organisation never needed to breach the target directly — they went through a supplier instead.
ISO 27001 Supplier reviews push companies to take supplier security seriously. Controls 5.19 to 5.22 establish a framework for identifying, assessing, contracting with, and continuously reviewing the suppliers that have access to your information or systems.
The following guide explains what each control requires and — more importantly — how to build a supplier review process that is practical to operate and convincing to an auditor.
What ISO 27001 Requires: Controls 5.19 to 5.22
The four supplier controls in Annex A work together as a lifecycle:
Control 5.19 — Information security in supplier relationships requires you to define and implement a policy for managing information security risks associated with suppliers. This is the foundational control — before you can review suppliers, you need an approach that defines how you identify relevant suppliers, how you classify them by risk, and what your minimum security expectations are.
Control 5.20 — Addressing information security within supplier agreements requires that information security requirements are established and agreed with each supplier. In practice, this means your contracts and agreements with relevant suppliers must include security obligations — data handling requirements, incident notification, audit rights, sub-contractor controls and so on.
Control 5.21 — Managing information security in the ICT supply chain focuses specifically on technology products and services — software, hardware, cloud services, managed services. It requires you to manage security risks arising from the ICT supply chain, including the provenance of components and the security practices of technology providers.
Control 5.22 — Monitoring, review and change management of supplier services is the ongoing review control. It requires you to regularly monitor, review and audit supplier service delivery, manage changes to supplier services, and maintain an appropriate level of assurance over time.
Together, these controls describe a complete supplier management lifecycle: define your approach, establish contractual requirements, manage the ICT supply chain, and keep reviewing. The rest of this guide explains how to implement each stage practically.
Step 1: Build Your Supplier Register
Before you can manage supplier security, you need to know who your suppliers are. This sounds obvious, but many organisations discover during ISO 27001 implementation that their supplier landscape is significantly larger than expected — particularly when cloud services and SaaS tools used by individual departments are taken into account.
Your supplier register is a core ISMS document. At minimum, it should capture:
- Supplier name and primary contact
- Nature of the relationship (what they supply or access)
- Whether they have access to your information systems or data
- What categories of data they handle, if any
- The tier or risk classification (see Step 2)
- The date of the last security assessment or review
- The date the next review is due
- A reference to the relevant contract or agreement
Start by pulling together every supplier relationship you can identify: IT managed service providers, cloud platforms, software vendors, payroll processors, HR systems, legal advisers, accountants, cleaning contractors, physical security companies, couriers. Then filter for relevance — the ones that handle your information, have access to your systems, or whose failure would significantly affect your ability to operate.
Not every supplier makes it onto the register. A company that supplies printer paper and has no access to your premises or information is not a relevant supplier from an information security perspective. Focus your register on those that could realistically affect your information security.
Step 2: Classify Suppliers by Risk
A proportionate supplier process requires tiering. Applying the same level of scrutiny to every supplier — from your critical cloud infrastructure provider to a one-off training company — is neither practical nor required by the standard.
A three-tier model works well for most organisations:
Tier 1 — Critical suppliers are those whose compromise or failure could directly lead to a significant information security incident. This typically includes: cloud infrastructure providers (AWS, Azure, GCP), managed IT service providers with privileged access, payroll and HR processors, software platforms holding sensitive business data, and any supplier with direct access to your production systems or customer data. These suppliers warrant the most thorough initial assessment and the most frequent review — at least annually, often more frequently for the highest-risk relationships.
Tier 2 — Standard suppliers have meaningful access to your information or systems but represent a lower inherent risk than Tier 1. Examples include SaaS tools with limited data access, professional services firms that handle some confidential information, and software suppliers whose products are business-critical but who have no direct access to your systems. Annual assessment and review is appropriate.
Tier 3 — Low-risk suppliers have minimal or no access to sensitive information and represent low information security risk. Reviews can be less frequent — every two to three years, or triggered by a change in the relationship rather than on a fixed schedule.
The tiering decision should be documented in your supplier register and revisited when the nature of a supplier relationship changes.
Supplier Classification: A Three-Tier Model
ISO 27001 requires a proportionate approach — not every supplier needs the same level of scrutiny
Step 3: Assess Suppliers Before Engagement
Control 5.19 requires you to assess the security posture of suppliers before they get access to your information or systems, not after. The depth of that assessment should be proportionate to the tier.
For Tier 1 suppliers, a thorough assessment is warranted. This might include:
- Reviewing their own ISO 27001 certificate or SOC 2 report (if applicable)
- Completing a security questionnaire covering their controls, incident response capability, sub-contractor management and data handling practices
- Reviewing their relevant policies on request
- Checking their contractual obligations around security and data protection
For Tier 2 suppliers, a lighter-touch assessment is typically sufficient:
- A shorter security questionnaire or a review of their security documentation
- Checking whether they hold relevant certifications
- Reviewing their standard contract terms for security clauses
For Tier 3 suppliers, a basic check is proportionate:
- Confirming they have adequate security policies and practices in place
- Reviewing their standard data processing agreement if they handle any personal data
Keep evidence of these assessments. An auditor reviewing your supplier management process will ask to see how you assessed suppliers before granting access, particularly for Tier 1 relationships.
Step 4: Get the Right Contractual Protections (Control 5.20)
A supplier assessment tells you what their current security posture is. A supplier agreement creates obligations that must be maintained throughout the relationship.
Control 5.20 requires that information security requirements are established and agreed with each relevant supplier. In practice this means your contracts or data processing agreements should include clauses covering:
Data handling requirements — what data can be processed, for what purpose, in what locations, and with what retention and deletion obligations.
Security standards — minimum security requirements the supplier must maintain, or a requirement to maintain ISO 27001 certification or equivalent.
Incident notification — an obligation to notify you within a defined timeframe (often 24–72 hours) if they experience a security incident that affects your data or services.
Sub-contractor controls — restrictions on the supplier’s ability to pass your data or access to third parties without your approval, and a requirement to flow down equivalent security obligations to any sub-contractors.
Audit and inspection rights — the right to audit the supplier’s security controls, or to request evidence of independent audits (such as their ISO 27001 certificate or SOC 2 report).
Right to terminate — provisions that allow you to exit the contract if the supplier suffers a significant security failure or material breach of the security obligations.
For Tier 1 suppliers, these clauses should be negotiated specifically. For smaller or less critical suppliers, a well-drafted standard Data Processing Agreement will often cover the basics. Whatever the approach, keep a copy of the signed agreement referenced in your supplier register.
Step 5: Manage the ICT Supply Chain (Control 5.21)
Control 5.21 extends the supplier framework specifically to ICT products and services. It recognises that technology supply chains carry risks beyond what a standard supplier relationship might surface — the security of software components, the provenance of hardware, and the practices of cloud providers all require specific consideration.
In practice, for most organisations this control means:
Assessing cloud and SaaS providers — applying the same assessment and contractual framework to technology platforms as you would to any other supplier, with particular attention to where data is stored, how it is encrypted, and what the provider’s incident response and availability commitments are.
Considering software supply chain risk — for organisations that develop software, understanding the security of open-source components and third-party libraries used in your products. Tools that scan for known vulnerabilities in dependencies are increasingly standard practice.
Hardware provenance for sensitive environments — for organisations handling highly sensitive data, considering the origin and supply chain integrity of physical equipment, particularly for items like networking hardware.
For most SMEs, control 5.21 is addressed primarily through the cloud and SaaS provider assessments in your Tier 1 and Tier 2 supplier process, with documented evidence that you have considered and mitigated ICT-specific risks.
Step 6: The Ongoing Review Process (Control 5.22)
Control 5.22 is where many organisations fall short. The initial assessment and contract are completed, the supplier goes onto the register, and nothing happens again until the certification auditor asks when the last review took place.
A functioning review process does not require lengthy audits of every supplier every year. It requires a proportionate, documented approach to monitoring supplier performance and maintaining assurance over time.
For Tier 1 suppliers, an annual review should cover:
- Have there been any security incidents involving this supplier in the past year?
- Has their certification status changed (ISO 27001 certificate expired, SOC 2 report not renewed)?
- Have there been any changes to the services they provide, the data they handle, or the systems they can access?
- Have they introduced new sub-contractors or changed their infrastructure in ways that affect your risk assessment?
- Are they meeting their contractual security obligations?
- Is there any intelligence — news reports, security bulletins, industry information — that affects our assessment of this supplier?
This does not require a formal on-site visit in most cases. A structured questionnaire, a video call with the supplier’s security contact, or a review of their current certification and audit reports is often sufficient — provided you document it.
For Tier 2 suppliers, an annual check is appropriate, but can be lighter — reviewing their certification status, checking for any known incidents, and confirming the relationship has not changed materially.
For Tier 3 suppliers, a periodic review triggered by changes in the relationship or on a two-to-three-year cycle is proportionate.
Managing Supplier Changes
Control 5.22 also specifically requires you to manage changes to supplier services. When a supplier changes something material — a new sub-processor, a migration to a different cloud region, a change in their security architecture, an acquisition — that should trigger a review, not wait until the next scheduled assessment.
Your supplier agreements should require suppliers to notify you of significant changes. Your internal process should have a clear owner who receives and acts on those notifications.
The Annual Supplier Review: What to Cover
Control 5.22 — a structured agenda for Tier 1 and Tier 2 supplier reviews
What Auditors Look For
When a certification body auditor reviews your supplier management process, they will typically ask for:
The supplier register — is it complete, up to date, and does it show evidence of classification and review dates?
Evidence of assessments — for your most significant suppliers, how did you assess them before granting access? Do you have questionnaire responses, copies of their certifications, or assessment notes?
Copies of agreements — do relevant contracts include security clauses? Are data processing agreements in place where required?
Evidence of ongoing reviews — when was the last review of your Tier 1 suppliers conducted? What did it find? What happened as a result?
Management of changes — has any supplier changed something significant in the past year? How did you find out and what did you do?
The most common finding in this area is not that the initial process is absent — it is that the ongoing review process has lapsed. Organisations complete thorough supplier assessments at implementation and then nothing happens again. Surveillance auditors look specifically at the gap between the last review date and today.
FAQs
Do we need to assess every supplier we use?
No — the standard requires a proportionate approach. The focus should be on suppliers that have access to your information, systems, or premises, or whose failure would materially affect your information security. A proportionate risk-based classification (tiering) allows you to apply rigorous assessment to critical suppliers and lighter-touch reviews to lower-risk relationships. Not every supplier makes it onto your register at all.
What if a key supplier refuses to complete a security questionnaire?
This happens, particularly with large platform providers. In those cases, rely on available evidence: their ISO 27001 certificate, SOC 2 or SOC 3 reports, published security whitepapers, and contractual commitments in their standard terms. Document your assessment methodology and note that direct questionnaire completion was not available but alternative assurance was obtained. If a Tier 1 supplier provides no security assurance of any kind, that is itself a risk that should be escalated and managed.
We use dozens of SaaS tools — do we need to assess all of them?
Not necessarily at the same depth. The priority is data access and criticality. A SaaS tool that processes personal data or connects to your core systems warrants thorough assessment. A browser extension used by one person for note-taking warrants a basic check. Tiering allows you to apply proportionate effort. It is also worth reviewing whether all those tools are authorised — shadow IT (tools used without IT or security approval) is itself an information security risk worth addressing.
How do we handle suppliers that are ISO 27001 certified themselves?
Their certification provides meaningful assurance and reduces the depth of assessment required — particularly if the scope of their certificate covers the services they provide to you. Request a copy of their current certificate and check the scope. It does not eliminate your obligation to have contractual protections in place, but it substantially reduces the burden of independent assessment. Review their certificate at each annual review to confirm it has not lapsed.
What should we do if a supplier has a security incident?
Your supplier agreement should require them to notify you within an agreed timeframe. When notification is received, assess the impact on your data and systems, determine whether the incident triggers any of your own notification obligations (to regulators, customers, or the ICT), and document your response. The incident should be logged as a potential risk event and factored into the next supplier review — including whether the relationship should continue, require additional controls, or be terminated. Handling supplier incidents well is evidence that your supplier management process is genuinely operational.
