Implementing ISO 27001 Annex A 5.20 is the process of codifying information security requirements into legal contracts. The primary implementation requirement involves establishing non-negotiable security clauses and audit rights, providing the business benefit of mitigating third-party risks through enforceable, manual verification rather than automated dashboard reliance.
ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.20. Real-world compliance is found in hard-coded contract clauses and manual verification, not in the automated dashboards of GRC software.
1. Conduct a Manual Supplier Inventory Audit
Control Requirement: Maintain a comprehensive list of all suppliers with access to organisational information assets.
Required Implementation Step: Disregard automated ‘discovery’ tools. Manually review the last 12 months of accounts payable records and bank statements to identify every vendor, freelancer, and consultant who has been paid for services. Cross-reference this with a physical list of active system accounts.
Minimum Requirement: A spreadsheet or local document listing supplier name, service provided, and the specific classification of data they access.
2. Perform Individual Supplier Risk Categorisation
Control Requirement: Identify and document the specific security risks associated with each supplier relationship.
Required Implementation Step: Sit down with the relevant internal stakeholder for each supplier. Document the worst-case scenario if that supplier was breached. Assign a risk level (Low, Medium, High) based on data volume and sensitivity, rather than relying on a generic ‘Security Score’ from a SaaS tool.
Minimum Requirement: A signed-off risk assessment for every ‘High’ and ‘Medium’ risk supplier.
3. Draft Customised Security Clauses for Master Service Agreements (MSA)
Control Requirement: Agreements with suppliers must address security requirements for accessing, processing, and storing data.
Required Implementation Step: Direct your legal counsel to insert specific, non-negotiable security requirements into your MSAs. This must include physical security, encryption standards for data at rest, and background checks for supplier personnel.
Minimum Requirement: Evidence of bespoke security appendices in at least three active supplier contracts.
4. Formulate Explicit Right-to-Audit Clauses
Control Requirement: The organisation must have the right to monitor and review supplier performance against security requirements.
Required Implementation Step: Manually edit contracts to ensure you have the ‘Right to Audit’. This should include the right to conduct on-site physical inspections of their server rooms or offices, not just the right to view a SOC2 report.
Minimum Requirement: Contractual language that allows for a 48-hour notice period for an on-site security review.
5. Define Hard Deadlines for Incident Notification
Control Requirement: Suppliers must notify the organisation of any security incidents involving their data.
Required Implementation Step: Specify a precise timeframe (e.g., “within 24 hours of discovery”) in the contract. Require the supplier to provide a manual phone call to a designated internal contact, rather than just an automated email to a generic ‘support@’ alias.
Minimum Requirement: A defined ‘Incident Communication Plan’ attached as an exhibit to the supplier agreement.
6. Establish Data Return and Destruction Protocols
Control Requirement: Agreements must address the return or destruction of information at the end of the contract.
Required Implementation Step: Do not trust a “Delete All” button in a portal. Require a signed ‘Certificate of Destruction’ on the supplier’s company letterhead. Define exactly how data is to be handed back (e.g., encrypted physical drive or secure transfer).
Minimum Requirement: An ‘Offboarding Checklist’ for every terminated supplier, verified by the IT Manager.
7. Enforce Supply Chain Transparency (Fourth-Party Risk)
Control Requirement: Suppliers must ensure their sub-contractors meet the same security standards agreed upon with you.
Required Implementation Step: Require the supplier to provide a list of their sub-processors. Manually verify that their contracts with these sub-processors mirror the security obligations they have committed to with your organisation.
Minimum Requirement: A contractual clause prohibiting the use of sub-contractors for data processing without prior written consent.
8. Implement Physical Credential Revocation Procedures
Control Requirement: Supplier access to assets must be controlled and monitored.
Required Implementation Step: Create a manual log of all supplier-issued hardware tokens, VPN accounts, and physical keys. Upon completion of a project, a staff member must physically verify the return of equipment and the manual deletion of accounts in Active Directory.
Minimum Requirement: A signed ‘Access Revocation’ log entry for every departed contractor or supplier staff member.
9. Verify Personnel Screening Requirements
Control Requirement: Suppliers must screen their employees according to the risk level of the data they handle.
Required Implementation Step: Request anonymised evidence of background checks from your suppliers. Do not accept a verbal “we do it.” Manually check that the depth of the background check (e.g., DBS check in the UK) matches the sensitivity of the data they access.
Minimum Requirement: Redacted proof of background checks for any supplier personnel with ‘Admin’ level access to your systems.
10. Maintain a Local Physical Evidence File
Control Requirement: Maintain evidence of compliance for supplier security management.
Required Implementation Step: Download all signed contracts, addendums, and certificates from cloud signing platforms. Store them on a local, encrypted file server or in a physical filing cabinet. Reliance on a GRC platform to hold your evidence is a single point of failure that auditors hate.
Minimum Requirement: A locally hosted folder containing PDF versions of all signed security appendices and supplier risk assessments.
ISO 27001 Annex A 5.20 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Supplier Identification | Platform scans your G-Suite or Slack for ‘Apps’. | Misses the plumbing contractor or physical cleaner who has master keys to the server room. |
| Risk Assessment | Sends an automated ‘Security Questionnaire’ to the supplier. | Suppliers lie on questionnaires; true risk is found by interviewing your own project leads. |
| Contractual Clauses | Provides a ‘standard template’ and assumes it is being used. | Standard templates are often ignored by procurement departments; manual contract review is mandatory. |
| Audit Rights | Accepts a logo of an ISO 27001 certificate as ‘Verified’. | A certificate doesn’t give you the right to enter their building; only a signed MSA clause does. |
| Incident Reporting | Integrates with the supplier’s API for ‘Uptime Status’. | APIs don’t report security breaches; a manual, legal obligation to notify the CEO does. |
| Data Destruction | Sets a ‘reminder’ to ask the supplier if they deleted data. | A reminder is not evidence. Compliance requires a signed, legally-binding Certificate of Destruction. |
| Access Control | Shows a list of ‘Provisioned Users’ in a dashboard. | Misses shared passwords, physical keycards, and ‘shadow IT’ accounts created outside the portal. |
| Evidence Storage | Stores links to DocuSign in the GRC platform. | If you lose access to the SaaS, you lose your proof of compliance for the auditor. |
About the author
Stop Guessing. Start Passing.
AI-generated policies are generic and fail audits. Our Lead-Auditor templates have a 100% success rate. Don’t risk your certification on a prompt
