In this ultimate how to audit guide to ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Supplier Security Requirement Categorisation Verified
- 2. Information Classification and Handling Obligations Confirmed
- 3. Right to Audit and Physical Inspection Clauses Validated
- 4. Incident Notification Timelines and Procedures Documented
- 5. Supplier Personnel Vetting and Training Obligations Verified
- 6. Sub-contracting Restrictions and Approval Controls Present
- 7. Acceptable Use and Logical Access Restrictions Confirmed
- 8. Intellectual Property and Data Ownership Protection Validated
- 9. Supplier Exit Strategy and Data Return Procedures Verified
- 10. Legal and Regulatory Compliance Flow-down Confirmed
Auditing ISO 27001 Annex A 5.20 Addressing Information Security within Supplier Agreements involves verifying that security obligations are explicitly defined and enforceable in vendor contracts. This process validates the Primary Implementation Requirement of establishing legal and operational controls to protect data accessed or processed by external parties. The Business Benefit minimizes supply chain risk by ensuring third-party compliance with organizational security standards.
1. Supplier Security Requirement Categorisation Verified
Verification Criteria: Every supplier agreement is preceded by a risk-based categorisation that dictates the specific security annexes required based on the data types accessed.
Required Evidence: Supplier Risk Assessment logs or a “Contract Tiering” matrix showing the link between vendor risk and contract security clauses.
Pass/Fail Test: If a high-risk SaaS vendor has the same generic security clauses as a low-risk office stationery supplier, mark as Non-Compliant.
2. Information Classification and Handling Obligations Confirmed
Verification Criteria: The agreement explicitly mandates that the supplier adheres to the organisation’s information classification and handling rules for all shared assets.
Required Evidence: Executed contract sections or Data Processing Agreements (DPAs) referencing the organisation’s classification levels (e.g., Confidential, Restricted).
Pass/Fail Test: If the agreement fails to define the specific classification of the data being processed or the handling requirements for that class, mark as Non-Compliant.
3. Right to Audit and Physical Inspection Clauses Validated
Verification Criteria: The contract contains an enforceable “Right to Audit” clause allowing the organisation (or a nominated third party) to verify the supplier’s security controls.
Required Evidence: Signed Master Service Agreement (MSA) highlighting audit rights, frequency, and notice period requirements.
Pass/Fail Test: If the supplier restricts audits to “Self-Attestation” only or charges a prohibitive fee to allow an independent audit, mark as Non-Compliant.
