In this ultimate how to implement guide to ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements Implementation Checklist
- 1. Conduct a Manual Supplier Inventory Audit
- 2. Perform Individual Supplier Risk Categorisation
- 3. Draft Customised Security Clauses for Master Service Agreements (MSA)
- 4. Formulate Explicit Right-to-Audit Clauses
- 5. Define Hard Deadlines for Incident Notification
- 6. Establish Data Return and Destruction Protocols
- 7. Enforce Supply Chain Transparency (Fourth-Party Risk)
- 8. Implement Physical Credential Revocation Procedures
- 9. Verify Personnel Screening Requirements
- 10. Maintain a Local Physical Evidence File
- ISO 27001 Annex A 5.20 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.20 is the process of codifying information security requirements into legal contracts. The primary implementation requirement involves establishing non-negotiable security clauses and audit rights, providing the business benefit of mitigating third-party risks through enforceable, manual verification rather than automated dashboard reliance.
ISO 27001 Annex A 5.20 Addressing Information Security in Supplier Agreements Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.20. Real-world compliance is found in hard-coded contract clauses and manual verification, not in the automated dashboards of GRC software.
1. Conduct a Manual Supplier Inventory Audit
Control Requirement: Maintain a comprehensive list of all suppliers with access to organisational information assets.
Required Implementation Step: Disregard automated ‘discovery’ tools. Manually review the last 12 months of accounts payable records and bank statements to identify every vendor, freelancer, and consultant who has been paid for services. Cross-reference this with a physical list of active system accounts.
Minimum Requirement: A spreadsheet or local document listing supplier name, service provided, and the specific classification of data they access.
2. Perform Individual Supplier Risk Categorisation
Control Requirement: Identify and document the specific security risks associated with each supplier relationship.
Required Implementation Step: Sit down with the relevant internal stakeholder for each supplier. Document the worst-case scenario if that supplier was breached. Assign a risk level (Low, Medium, High) based on data volume and sensitivity, rather than relying on a generic ‘Security Score’ from a SaaS tool.
Minimum Requirement: A signed-off risk assessment for every ‘High’ and ‘Medium’ risk supplier.
3. Draft Customised Security Clauses for Master Service Agreements (MSA)
Control Requirement: Agreements with suppliers must address security requirements for accessing, processing, and storing data.
Required Implementation Step: Direct your legal counsel to insert specific, non-negotiable security requirements into your MSAs. This must include physical security, encryption standards for data at rest, and background checks for supplier personnel.
Minimum Requirement: Evidence of bespoke security appendices in at least three active supplier contracts.
