The basics
ISO 27001 control A.5.20 Addressing information security within supplier agreements requires companies to include any relevant security requirement a supplier needs to fulfill in contracts or service agreements signed with them. This is important because such security requirements can be legally enforced when formally signed by both parties.
Documentation
ISO 27001 control A.5.20 Addressing information security within supplier agreements can be documented by writing security clauses in agreements signed with suppliers.
These clauses are not mandatory but are recommended for all companies.
Implementation
In order to comply with control A.5.20 Addressing information security within supplier agreements you might implement the following:
- Technology — the technology to address information security within supplier agreements in most cases will be already available in the company. Companies of all sizes will probably be able to address information security within supplier agreements by using the same tools and systems adopted to manage their regular contracts and agreements signed with third parties (e.g., digital signatures, MS Word or Google Docs for writing agreements, contract management software, etc.).
- Organization/processes — you should set up a process for identifying, including, and managing information security clauses in agreements signed with suppliers. You can document that process through a Supplier Security Policy, or Procedure for Managing Supplier Security Risks.
- People — make employees aware of why including security clauses in supplier agreements are needed, and train them on how to identify security requirements to be included in agreements.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.20 Addressing information security within supplier agreements: if relevant security requirements a third party needs to fulfill are included in contracts or agreements signed with them.
