In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.20 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.20 Addressing Information Security within Supplier Agreements
ISO 27001 Annex A 5.20 requires that relevant information security requirements are established and agreed upon with each supplier that accesses, processes, stores, communicates, or provides infrastructure components for the organization’s information. While Annex A 5.19 focuses on the general relationship, this control is about the contractual “teeth.” The goal is to ensure that security obligations are legally binding, clearly defined, and leave no room for ambiguity regarding who is responsible for protecting data in the event of a breach.
Core requirements for compliance include:
- Explicit Security Clauses: Agreements must include specific clauses for data protection, confidentiality, and intellectual property. Generic “we will keep your data safe” statements are insufficient for an audit.
- Incident Notification Timelines: Suppliers must be contractually obligated to notify you of a security breach within a specific window (e.g., 24 or 72 hours) to allow you to meet your own legal obligations under GDPR or CCPA.
- Right to Audit: You must include the legal right to audit the supplier’s security controls or, at a minimum, require them to provide independent audit reports (such as SOC 2 or an ISO 27001 certificate) annually.
- Supply Chain Transparency: Agreements should require the supplier to manage their own “sub-suppliers” to the same standard, preventing security weak points further down the chain.
- Vulnerability Management: Contracts should specify the supplier’s responsibility for patching and vulnerability reporting for any software or hardware they provide.
- Secure Deletion/Return: Upon contract termination, the agreement must mandate the secure return or destruction of all organization data.
Audit Focus: Auditors will look for “The Legal Shield”:
- Contractual Sampling: “Show me the signed agreement for your cloud hosting provider. Where does it state their requirement to notify you of a breach?”
- Consistency Check: “Does your standard Data Processing Agreement (DPA) match the security requirements defined in your Risk Assessment?”
- Exit Clauses: “What happens to your data if this supplier goes bankrupt? Show me the ‘Return of Assets’ clause in their contract.”
Supplier Agreement Checklist (Audit Prep):
| Contract Requirement | Mandatory Inclusion | Why it matters | ISO 27001:2022 Control |
|---|---|---|---|
| Confidentiality / NDA | Required for all. | Prevents unauthorised disclosure of trade secrets. | Annex A 5.15 / 5.20 |
| Incident Reporting | Defined timeline. | Essential for meeting regulatory breach windows. | Annex A 5.20 / 5.24 |
| Right to Audit | Required for T1/T2. | Allows you to verify security claims independently. | Annex A 5.20 / 5.22 |
| Access Controls | Defined methods. | Ensures suppliers use MFA and Least Privilege. | Annex A 5.20 / 8.15 |
| Data Deletion | Post-termination. | Prevents “Data Residue” risks after the contract ends. | Annex A 5.20 / 8.10 |
Table of contents
- What is ISO 27001 Annex A 5.20?
- Watch the ISO 27001 Annex A 5.20 Tutorial
- ISO 27001 Annex A 5.20 Podcast
- ISO 27001 Annex A 5.20 Implementation Guidance
- How to implement ISO 27001 Annex A 5.20
- Contract Clause Checklist
- ISO 27001 Supplier Register Template
- ISO 27001 Supplier Policy Template
- How to comply
- How to pass the ISO 27001 Annex A 5.20 audit
- What the auditor will check
- Top 3 ISO 27001 Annex A 5.20 Mistakes People Make and How to Avoid Them
- Applicability of ISO 27001 Annex A 5.20 across different business models.
- Fast Track ISO 27001 Annex A 5.20 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.20 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 controls and attribute values
What is ISO 27001 Annex A 5.20?
ISO 27001 Annex A 5.20 is about addressing information security in your supplier agreements which means you need legal agreements in place with suppliers that cover your information security requirements.
ISO 27001 Annex A 5.20 Addressing information security within supplier agreements is an ISO 27001 control that requires an organisation to establish and agree information security requirements with suppliers.
It is about having a legal mechanism in place. A contract or an agreement or terms of business.
Suppliers represent one of your biggest risks as you cannot directly manage them or influence them and it is likely you rely on them, they have your data and provide services that you need to be successful.
ISO 27001 Annex A 5.20 Purpose
The purpose of ISO 27001 Annex A 5.20 is a preventive control that ensures you maintain an agreed level of information security in supplier relationships.
ISO 27001 Annex A 5.20 Definition
The ISO 27001 standard defines ISO 27001 Annex A 5.20 as:
Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
ISO 27001:2022 Annex A 5.20 Addressing information security within supplier agreements
Watch the ISO 27001 Annex A 5.20 Tutorial
In the video ISO 27001 Information Security Within Supplier Agreements Explained – ISO27001:2022 Annex A 5.20 I show you how to implement it and how to pass the audit.
ISO 27001 Annex A 5.20 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.20 Implementation Guidance
We are going to rely on a couple of mechanism to ensure Information Security In Supplier Relationships.
Supplier Agreements / Contracts
The number one recommendation is to seek professional legal counsel for the provision of all contracts. The following is guidance but you should always defer to professional legal counsel. Always. You are not a lawyer. We are not a lawyer.
Our first line of defence and go to is the supplier agreement or supplier contract. At its core it is a legal mechanism that is legally binding and provides the greatest level of overall protection.
- It sets out what is required, what will be done, who will do it, what happens if things go wrong.
- What information is to be provided, accessed and the methods of access.
- Legal, regulatory and contractual requirements. Elements such as intellectual property rights, copyright information, data protection requirements.
- The controls and levels of controls that are required by both parties to the agreement.
- Acceptable and unacceptable use of assets.
- How to grant and remove access
- Penalties, indemnities and remediation for failings to meet the contract.
- Contact information
- Screening requirements for staff were legally enforceable.
- How evidence and assurance of information security will be provided
- Rights to audit
- How to solve problems or conflicts with the contract
- Appropriate back up, business continuity and disaster recovery
- The process for change management
- Physical security as appropriate
- Information transfer processes
- Termination clauses and processes
- Destruction and removal of data processes
- Handover at the end of the contract
Contracts are kept and recorded in the ISO 27001 Supplier Register. They are reviewed at least annually, based on risk and significant change or event.
How to implement ISO 27001 Annex A 5.20
Implementing ISO 27001 Annex A 5.20 requires a transition from generic procurement contracts to security-centric legal agreements. By formalising technical requirements and right-to-audit clauses within every supplier contract, organisations can effectively mitigate third-party risks and ensure that external partners maintain the same security standards as the internal Information Security Management System (ISMS). This guide outlines the action-oriented steps to ensure your supplier agreements are technically robust and audit-compliant.
1. Formalise Technical Security Requirements
Establish a comprehensive list of security requirements that must be embedded into every new supplier agreement. This action results in a standardised baseline that prevents the onboarding of high-risk vendors without adequate protections.
- Define mandatory encryption standards for data at rest and data in transit (e.g. AES-256).
- Specify the technical requirements for Identity and Access Management (IAM), including the enforcement of Multi-Factor Authentication (MFA).
- Document the expected patch management cycles and vulnerability disclosure timeframes for any software or hardware provided.
2. Provision Right-to-Audit and Continuous Monitoring Clauses
Incorporate “Right to Audit” language in the Service Level Agreement (SLA) to allow for periodic verification of the supplier’s security posture. This ensures the organisation has the legal leverage to validate compliance throughout the contract lifecycle.
- Detail the frequency and scope of independent security assessments or onsite audits.
- Require the annual submission of third-party assurance reports, such as ISO 27001 certificates or SOC 2 Type II audits.
- Include provisions for automated security monitoring or regular vulnerability scans of the supplier’s provided infrastructure.
3. Formalise Mandatory Incident Notification Procedures
Specify strict timelines and reporting channels for security incident notifications within the legal contract. This result-focused step ensures that your organisation can meet its own regulatory obligations, such as the 72-hour GDPR reporting window.
- Define the specific technical data the supplier must provide during an incident (e.g. forensic logs, affected user counts).
- Establish a primary security contact and a secondary escalation path for 24/7 incident reporting.
- Document the Rules of Engagement (ROE) for joint incident investigations to prevent data spoliation.
4. Formalise Data Residency and Sub-processor Transparency
Mandate that suppliers disclose the geographical locations of data storage and any fourth-party sub-processors they utilise. This action ensures that the organisation maintains control over its data supply chain and remains compliant with jurisdictional laws.
- Require written consent before the supplier moves organisational data to a new geographical region.
- Establish a clause that forces the supplier to pass down all security obligations to their own subcontractors.
- Document the technical measures used to isolate your organisation’s data from other tenants in multi-tenant environments.
5. Execute Secure Asset Return and Destruction Protocols
Define the technical procedures for the secure return or destruction of all organisational assets upon contract termination or expiry. This action prevents “data remnants” from remaining on supplier systems, mitigating the risk of long-term exposure.
- Specify the data formats required for portable data return to prevent vendor lock-in.
- Require a formal certificate of destruction for all data held on the supplier’s primary and backup storage systems.
- Formalise the immediate revocation of all supplier access to internal systems, including the deactivation of IAM roles and VPN tokens.
Contract Clause Checklist
| Clause | Purpose | Why it matters? |
| Right to Audit | Allows you (or a 3rd party) to check their security. | Critical for “High Risk” vendors. |
| Incident Notification | “Must notify us within 72 hours of a breach.” | Required for your own GDPR compliance. |
| Data Return/Delete | “Must delete our data upon termination.” | Prevents data leakage after the contract ends. |
| Sub-processing | “Cannot outsource to others without permission.” | Stops them sending your data to a cheap, insecure 4th party. |
| SLA (Security) | “Must maintain 99.9% uptime & patch within 30 days.” | Turns “best effort” into a legal requirement. |
ISO 27001 Supplier Register Template
The ultimate ISO 27001 Supplier Register Template.
ISO 27001 Supplier Policy Template
The ultimate ISO 27001 Supplier Register Template.
How to comply
To comply with ISO 27001 Annex A 5.20 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to
- Implement a topic specific policy
- Implement an supplier management process
- Implement an ISO 27001 supplier register
- Have agreements with all suppliers that cover information security requirements
How to pass the ISO 27001 Annex A 5.20 audit
To pass an audit of ISO 27001 Annex A 5.20 you are going to make sure that you have followed the steps above in how to comply.
What the auditor will check
The audit is going to check a number of areas. Lets go through the most common
1. That you have a supplier agreements in place
The auditor is going to check that you have agreements in place with suppliers that cover the information security requriements. It will check that those agreements are in date and cover the products and / or services acquired.
2. That you have an ISO 27001 Supplier Register
You will need an ISO 27001 Supplier Register to record and manage your suppliers. Make sure it is up to date and reflects your reality.
3. Documentation
They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match.
Top 3 ISO 27001 Annex A 5.20 Mistakes People Make and How to Avoid Them
The top 3 Mistakes People Make For ISO 27001 Annex A 5.20 are
1. You have no contracts or legal terms with a supplier
Make sure that there is a contract, agreement, terms of business or some legal mechanism for engaging with suppliers and you have a copy, it is in date and covers what you are using.
2. You have no assurance they are doing the right thing for information security
Make sure you have done your security assessment and can place your hands on an in date certificate such as an ISO 27001 Certification for assurance they are doing the right thing. It needs to be in date a cover the products and / or services you have acquired and are using form the supplier.
3. Your document and version control is wrong
Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.
Applicability of ISO 27001 Annex A 5.20 across different business models.
| Business Type | Applicability & Interpretation | Examples of Control |
|---|---|---|
| Small Businesses |
Standard Terms & NDAs. You cannot renegotiate contracts with giants (Microsoft/Google), but you must understand them. For local suppliers (IT support, cleaners), you need explicit confidentiality agreements. |
• The “NDA” Check: Ensuring every external contractor (e.g., the accountant or IT fix-it person) has signed a Non-Disclosure Agreement before accessing your systems. |
| Tech Startups |
“Right to Audit” & Code IP. When outsourcing development, the contract must define who owns the code and who is responsible for fixing bugs. Crucially, you must reserve the legal right to test their security. |
• Right to Audit Clause: Including a contractual clause that allows you to perform penetration testing on the software delivered by your development agency. |
| AI Companies |
Data Usage & Model Rights. The agreement must explicitly state whether the supplier can use your data to train their models. Ambiguity here can lead to IP leakage. |
• Zero-Training Clause: A specific legal term in API agreements (e.g., with OpenAI or Anthropic) stating that inputs will not be used for model improvement. |
Fast Track ISO 27001 Annex A 5.20 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.20 (Addressing information security within supplier agreements), the requirement is to ensure that information security requirements are established and agreed upon with each supplier that processes, stores, or accesses the organization’s information. This control is about making security expectations legally binding.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Legal Ownership | Rents access to your legal templates; if you cancel the subscription, your documented security schedules and clauses vanish. | Permanent Assets: Fully editable Word templates for Supplier Security Clauses that you own forever. | A signed Master Service Agreement (MSA) featuring your proprietary “Right to Audit” security clause. |
| Contractual Utility | Attempts to “automate” reviews via generic dashboards that cannot negotiate custom clauses or interpret local case law. | Governance-First: Provides the specific legal language needed to bake security into your existing procurement workflows. | A “Supplier Security Schedule” proving that data breach notification timelines are legally mandated for all vendors. |
| Cost Efficiency | Charges a “Contract Volume Tax” that scales aggressively as your vendor list and agreement count grows. | One-Off Fee: A single payment covers your legal governance for 5 supplier agreements or 500. | Allocating budget to specialized legal counsel for complex negotiations rather than monthly “dashboard” fees. |
| Legal Freedom | Mandates rigid workflows and metadata that may not align with specialized industry requirements like HIPAA or PCI-DSS. | 100% Agnostic: Templates are fully customizable to match your unique business model and jurisdictional laws. | The ability to evolve your legal strategy and update liability caps without reconfiguring a rigid SaaS compliance module. |
Summary: For Annex A 5.20, the auditor wants to see that your supplier contracts explicitly include information security requirements. The High Table ISO 27001 Toolkit provides the legal governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.20 FAQ
What is ISO 27001 Annex A 5.20?
ISO 27001 Annex A 5.20 is an information security control that requires organisations to formalise and document security requirements within legal agreements with all suppliers who access or process company data.
- It ensures that security expectations are legally binding and enforceable.
- It covers the entire lifecycle of the relationship, from onboarding to decommissioning.
- It reduces third-party risk by establishing clear boundaries of responsibility.
What must be included in a supplier security agreement?
To comply with Annex A 5.20, supplier agreements must include specific clauses that define how the provider will protect the confidentiality, integrity, and availability of your data.
- Right to Audit: The legal right for your organisation (or a third party) to verify the supplier’s security controls.
- Incident Reporting: Mandatory timeframes for the supplier to notify you of a security breach.
- Data Protection: Explicit requirements for encryption, access controls, and data residency.
- Return of Assets: Procedures for the secure return or destruction of data upon contract termination.
What is the difference between Annex A 5.19 and 5.20?
The primary difference is that Annex A 5.19 establishes the overarching policy for supplier relationships, whereas Annex A 5.20 focuses on the technical and legal clauses within the contracts themselves.
- Annex A 5.19: Strategic “what” and “why” of vendor management.
- Annex A 5.20: Operational “how” via legally binding contract language.
- Relationship: You use the policy (5.19) to dictate the requirements found in the agreement (5.20).
Does a standard NDA satisfy Annex A 5.20?
No, a Non-Disclosure Agreement (NDA) alone does not satisfy the requirements of Annex A 5.20 because it only addresses confidentiality, not integrity or availability.
- NDAs lack operational security requirements like patch management or physical security.
- NDAs do not typically include “Right to Audit” or specific incident management obligations.
- A 5.20 requires a broader Data Processing Agreement (DPA) or a Security Addendum.
How do you handle security for SaaS providers with non-negotiable contracts?
For large SaaS providers (e.g. Microsoft, AWS), you must assess their standard Terms of Service and independent audit reports (SOC 2 or ISO 27001) against your internal requirements.
- Review their standard Security Addendums to ensure they meet your minimum thresholds.
- Document the risk of non-negotiable terms in your Risk Register.
- Verify the scope of their certifications to ensure it covers the specific services you use.
What evidence do auditors expect for Annex A 5.20?
Auditors expect to see a sample of signed supplier contracts or security addendums that explicitly list the security obligations identified in your risk assessment.
- A Supplier Register: Mapping suppliers to their risk levels and contract status.
- Signed Agreements: Validating that security clauses were actually included and executed.
- Evidence of Review: Proof that you reviewed the supplier’s security posture before signing.
Related ISO 27001 Controls
ISO 27001 Annex A 5.19 Information Security In Supplier Relationships
ISO 27001 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services
Further Reading
ISO 27001 Supplier Security Policy Beginner’s Guide
ISO 27001 controls and attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Confidentiality | Identify | Supplier relationships security | Protection |
| Integrity | Governance and ecosystem | |||
| Availability |
