Auditing ISO 27001 Annex A 5.20 Addressing Information Security within Supplier Agreements involves verifying that security obligations are explicitly defined and enforceable in vendor contracts. This process validates the Primary Implementation Requirement of establishing legal and operational controls to protect data accessed or processed by external parties. The Business Benefit minimizes supply chain risk by ensuring third-party compliance with organizational security standards.
This technical verification tool is designed for lead auditors to establish the legal and operational rigour of vendor contracts. Use this checklist to validate compliance with ISO 27001 Annex A 5.20 (Addressing information security within supplier agreements) by ensuring all security obligations are explicitly documented and enforceable.
1. Supplier Security Requirement Categorisation Verified
Verification Criteria: Every supplier agreement is preceded by a risk-based categorisation that dictates the specific security annexes required based on the data types accessed.
Required Evidence: Supplier Risk Assessment logs or a “Contract Tiering” matrix showing the link between vendor risk and contract security clauses.
Pass/Fail Test: If a high-risk SaaS vendor has the same generic security clauses as a low-risk office stationery supplier, mark as Non-Compliant.
2. Information Classification and Handling Obligations Confirmed
Verification Criteria: The agreement explicitly mandates that the supplier adheres to the organisation’s information classification and handling rules for all shared assets.
Required Evidence: Executed contract sections or Data Processing Agreements (DPAs) referencing the organisation’s classification levels (e.g., Confidential, Restricted).
Pass/Fail Test: If the agreement fails to define the specific classification of the data being processed or the handling requirements for that class, mark as Non-Compliant.
3. Right to Audit and Physical Inspection Clauses Validated
Verification Criteria: The contract contains an enforceable “Right to Audit” clause allowing the organisation (or a nominated third party) to verify the supplier’s security controls.
Required Evidence: Signed Master Service Agreement (MSA) highlighting audit rights, frequency, and notice period requirements.
Pass/Fail Test: If the supplier restricts audits to “Self-Attestation” only or charges a prohibitive fee to allow an independent audit, mark as Non-Compliant.
4. Incident Notification Timelines and Procedures Documented
Verification Criteria: Supplier agreements specify binary triggers for incident notification and define mandatory reporting windows (e.g., 24 or 72 hours).
Required Evidence: Incident Management Annex within the supplier contract defining “Security Incident” and providing an escalation contact path.
Pass/Fail Test: If the notification clause uses vague language like “as soon as reasonably practicable” without a defined maximum hour threshold, mark as Non-Compliant.
5. Supplier Personnel Vetting and Training Obligations Verified
Verification Criteria: The agreement obligates the supplier to conduct background checks on staff with access to organisational data and provide regular security awareness training.
Required Evidence: Signed Security Annex specifying vetting standards (e.g., BPSS or local equivalent) and mandatory training frequency.
Pass/Fail Test: If the contract does not require the supplier to provide evidence of vetting for their privileged administrators, mark as Non-Compliant.
6. Sub-contracting Restrictions and Approval Controls Present
Verification Criteria: Provisions are in place to control 4th-party risk, requiring the supplier to obtain written consent before sub-contracting any part of the service processing organisational data.
Required Evidence: Sub-processor clause in the DPA or MSA detailing the approval process for new sub-contractors.
Pass/Fail Test: If the supplier has the right to change sub-contractors without notifying or obtaining consent from the organisation, mark as Non-Compliant.
7. Acceptable Use and Logical Access Restrictions Confirmed
Verification Criteria: Contracts stipulate that supplier access to organisational systems must follow the principle of least privilege and adhere to the organisation’s Acceptable Use Policy (AUP).
Required Evidence: Signed AUP acknowledgment from the vendor or specific “Remote Access” clauses within the technical security annex.
Pass/Fail Test: If the agreement allows for shared vendor accounts or does not mandate Multi-Factor Authentication (MFA) for vendor remote access, mark as Non-Compliant.
8. Intellectual Property and Data Ownership Protection Validated
Verification Criteria: The agreement explicitly states that the organisation retains all ownership and intellectual property rights over the data processed by the supplier.
Required Evidence: IP and Data Ownership clauses in the executed Master Service Agreement.
Pass/Fail Test: If the contract grants the supplier any rights to use organisational data for “Product Improvement” or “Analytics” without explicit anonymisation and consent, mark as Non-Compliant.
9. Supplier Exit Strategy and Data Return Procedures Verified
Verification Criteria: The agreement contains a formalised exit strategy defining how data will be returned, migrated, or securely destroyed at the end of the contract.
Required Evidence: “Termination and Exit” section of the contract specifying data formats for return and requirements for a Certificate of Destruction.
Pass/Fail Test: If the contract lacks a requirement for the supplier to provide a formal Certificate of Destruction upon termination, mark as Non-Compliant.
10. Legal and Regulatory Compliance Flow-down Confirmed
Verification Criteria: The agreement ensures that the supplier complies with all relevant statutory and regulatory requirements (e.g., UK GDPR, PCI DSS) applicable to the service.
Required Evidence: Regulatory Compliance clauses or specific certifications (e.g., Attestation of Compliance) referenced in the contract appendices.
Pass/Fail Test: If the supplier operates in a regulated industry but the contract does not explicitly state their liability for regulatory non-compliance, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Defined Security Annexes | GRC tool marks “Complete” because a “Signed Contract” PDF exists. | Verify the *content* of the PDF. Generic Terms of Service are not a Security Annex. |
| Incident Notification | SaaS platform flags a generic “Breach Clause” as compliant. | Confirm the clause specifies a *timeframe* (e.g. 24hrs). “Promptly” is legally unenforceable in an audit. |
| Right to Audit | Tool checks if the vendor has an ISO 27001 certificate. | The certificate proves *their* ISMS. You must verify *your* right to inspect how they handle *your* data. |
| 4th-Party Risk | Platform assumes sub-contractors are managed if a DPA is present. | Examine the “Sub-processor List.” If it hasn’t been updated in 2 years, the control is likely failing. |
| Data Disposal | Contract states data will be deleted on expiry. | An auditor must demand a sample *Certificate of Destruction* from a recently terminated vendor. |
| Vetting Standards | GRC tool assumes big-name SaaS vendors vet all staff. | Verify that the contract *obligates* them to do so; never rely on brand reputation as audit evidence. |
| Data Sovereignty | Tool identifies “Region: UK” in the cloud dashboard. | Verify the contract *prohibits* the supplier from moving data to other regions for support or disaster recovery. |
About the author
