ISO 27001 Annex A Control 5.21

ISO 27001 control 5.21 Managing information security in the ICT supply chain

The basics

ISO 27001 control A.5.21 Managing information security in the ICT supply chain requires companies to assess and treat risks related to products and services provided by third parties, in order to understand how security incidents with one supplier can influence other suppliers in the chain and your own data.

Documentation

ISO 27001 control A.5.21 Managing information security in the ICT supply chain can be documented:

  • For smaller and mid-size companies – by writing a Supplier Security Policy
  • For larger companies – by writing a Procedure for Managing Supplier Security Risks

These documents are not mandatory but are recommended.

Implementation

In order to comply with control A.5.21 Managing information security in the ICT supply chain you might implement the following:

  • Technology — the technology to manage IT risks of supply chain in most cases will be already available in the company. Companies of all sizes will probably be able to manage information security risks in the ICT supply chain by using the same tools and systems adopted to manage their own information security risks (e.g., spreadsheet applications or dedicated risk management software), as well as systems they use to monitor 3rd party performance (e.g., for cloud services this could be bandwidth, memory, and CPU monitors).
  • Organization/processes — you should set up a process for assessing, evaluating, and treating technology risks related to your suppliers. Most probably you will be able to use as a basis the same processes and procedures adopted to manage your own information security risks, with minor adjustments. You can document those processes through a Supplier Security Policy or Procedure for Managing Supplier Security Risks.
  • People — make employees aware of why managing technology security risks related to suppliers is needed, and train them on how to assess, evaluate, and treat technology risks related to their supply chain.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.21 Managing information security in the ICT supply chain: if technology risks related to IT services provided by third parties are managed.