In this ultimate how to audit guide to ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Supplier Service Level Monitoring Records Verified
- 2. Supplier Security Audit Execution Confirmed
- 3. Supplier Incident Notification Adherence Validated
- 4. Supplier Vulnerability Management Tracking Verified
- 5. Supplier Change Management Oversight Confirmed
- 6. Supplier Risk Profile Update Consistency Validated
- 7. Supply Chain Transparency and 4th-Party Oversight Verified
- 8. Supplier Security Performance Remediation Records Present
- 9. Business Continuity and Disaster Recovery Readiness Validated
- 10. Supplier Termination and Offboarding Logs Verified
Auditing ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain involves the continuous verification of third-party service delivery and security integrity. This process validates the Primary Implementation Requirement of monitoring supplier performance, security obligations, and sub-tier risks against agreed service levels. The Business Benefit ensures supply chain resilience by identifying vulnerabilities early and enforcing contractual security standards to prevent disruptions.
1. Supplier Service Level Monitoring Records Verified
Verification Criteria: Management maintains a continuous process to monitor supplier service delivery and security performance against agreed-upon contract requirements.
Required Evidence: Monthly or quarterly service performance reports, uptime logs, and security KPI dashboards provided by the supplier.
Pass/Fail Test: If the organisation cannot produce evidence of service performance reviews conducted within the last 6 months for critical suppliers, mark as Non-Compliant.
2. Supplier Security Audit Execution Confirmed
Verification Criteria: The organisation exercises its right to audit or reviews independent third-party audit reports for high-risk ICT suppliers.
Required Evidence: Signed supplier audit reports, SOC2 Type II reviews, or ISO 27001 certification validation records (including scope verification).
Pass/Fail Test: If a critical ICT supplier has not provided an updated audit report or certificate within the last 12 months, and no internal audit was performed, mark as Non-Compliant.
3. Supplier Incident Notification Adherence Validated
Verification Criteria: Records demonstrate that the supplier notifies the organisation of security incidents within the contractually mandated timeframes.
Required Evidence: Incident logs or email archives showing timestamped notifications from the supplier regarding security events or breaches.
Pass/Fail Test: If a known supplier-side breach occurred but no formal notification was received by the organisation’s security lead, mark as Non-Compliant.
