ISO 27001 Annex A Control 5.22

ISO 27001 control 5.22 Monitoring, review and change management of supplier service

The basics

ISO 27001 control A.5.22 Monitoring, review and change management of supplier service requires companies to review if their suppliers and contractors comply with security requirements – these security requirements are typically defined in agreements or other documents agreed upon by both parties.

Documentation

ISO 27001 control A.5.22 Monitoring, review and change management of supplier service can be documented:

  • For smaller and mid-sized companies by writing a Supplier Security Policy.
  • For larger companies by writing a Procedure for Monitoring Supplier Security.

These documents are not mandatory but are recommended.

Implementation

In order to comply with control A.5.22 Monitoring, review and change management of supplier services you might implement the following:

  • Technology — the technology to enable the monitoring, review, and management of changes in supplier services in most cases will be already available by the provider (e.g., monitoring reports, real-time dashboards, etc.). Some companies might only need to upgrade their services to receive reports, while in some rare cases, they will need to change the supplier if it does not have the required monitoring and reviewing capabilities and appropriate change management process.
  • Organization/processes — you should set up a process for performing monitoring and review of delivered services, as well as for managing changes in those services by the supplier. You can document those processes through a Supplier Security Policy or Procedure for Monitoring Supplier Security.
  • People — make employees aware of why monitoring and reviewing supplier services are needed, and train them on how to monitor and review their contracted services and evaluate required changes.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.22 Monitoring, review and change management of supplier service: if supplier and contractor compliance with security requirements is monitored, reviewed, and managed.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.