ISO 27001:2022 and supplier relationships: clauses 5.19 to 5.22

The 2022 revision of ISO 27001 brought significant changes to how supplier relationships are managed. The old single control for supplier security has been replaced by four dedicated controls covering information security in supplier agreements, managing supplier delivery, cloud services, and ICT supply chain security. If you're renewing certification or preparing for your first audit under the 2022 standard, this guide covers what auditors are looking for and how to build the required evidence.

What changed in ISO 27001:2022

The 2013 version of ISO 27001 addressed supplier security through a handful of controls under domain A.15. The 2022 revision reorganised and expanded these into Annex A controls 5.19 through 5.22, with notably more rigour around cloud services (5.23) and ICT supply chain management (5.22) — areas that barely existed as concerns in 2013.

Organisations with existing certifications had a transition period — most expired in late 2025. New certifications and renewals are now assessed against the 2022 standard.

Control 5.19 — Information security in supplier relationships

This control requires that processes and procedures are defined and implemented to manage information security risks associated with using supplier products or services.

In practice, auditors look for:

• A documented supplier management policy that defines how you identify, assess, and manage supplier risk
• A supplier register or inventory covering suppliers who have access to your information or information systems
• Evidence that security requirements are established before engaging with a supplier — not just reviewed after the contract is signed
• Roles and responsibilities for supplier risk management clearly assigned

Control 5.20 — Addressing information security within supplier agreements

Control 5.20 requires that relevant information security requirements are established and agreed with each supplier based on the type of supplier relationship.

The control specifies a list of topics that must be covered in supplier agreements, including:

• The information to be provided or accessed, and the method of provision or access
• Information classification and security requirements
• Legal and regulatory requirements, including data protection
• Each party's obligation to implement agreed controls
• Incident management and notification obligations
• Minimum security requirements for each category of information or access type
• Rights of audit
• Return and destruction of information at contract end

This control has significant overlap with GDPR Article 28 requirements for data processors — a well-drafted DPA that covers Article 28 will satisfy much of 5.20 for GDPR-relevant suppliers.

Control 5.21 — Managing information security in the ICT supply chain

This is a new control in the 2022 revision, specifically targeting ICT suppliers — hardware manufacturers, software vendors, cloud providers, and managed service providers. It recognises that compromise at the supply chain level (e.g. compromised software updates, hardware with embedded vulnerabilities) represents a distinct risk category.

For most mid-sized organisations, this control requires:

• Identifying ICT components in your supply chain that are critical to your information security
• Establishing criteria for selecting ICT suppliers that account for supply chain security practices
• Requiring ICT suppliers to propagate security requirements through their own supply chains where relevant
• Monitoring for security advisories and vulnerabilities in ICT components you use

Control 5.22 — Monitoring, review, and change management of supplier services

Control 5.22 requires ongoing monitoring of supplier performance against agreed security requirements, and management of changes to supplier relationships including modifications to the scope of services.

This is where many organisations have a gap. 5.22 is not satisfied by a one-time assessment — it requires evidence of:

• Regular review of supplier security performance (annually at minimum for critical suppliers)
• Processes for handling supplier-initiated changes (new sub-processors, service changes, ownership changes)
• Escalation paths for significant supplier security events
• Documentation of reviews, including what was assessed and what actions were taken

This is the control that drives the "ongoing" nature of supplier risk management under ISO 27001. A questionnaire you sent once two years ago does not satisfy 5.22.

What a credible evidence package looks like

For an ISO 27001:2022 surveillance audit focused on supplier risk, a credible evidence package typically includes:

• Supplier management policy — a document defining your approach, scope, roles, and review frequency. Doesn't need to be lengthy.
• Supplier register — a current inventory of relevant suppliers with risk classification, service description, and access type.
• Assessment evidence — completed questionnaires or assessment reports for your critical and high-risk suppliers, covering the last 12 months.
• Findings register — documented issues identified from assessments, with severity, status, and resolution history.
• Supplier agreements — at least sample DPAs and security schedules demonstrating the 5.20 requirements are contractually covered.
• Review records — minutes, reports, or records showing that supplier security has been reviewed at management level in the last year.

Common audit findings for supplier risk controls

No documented supplier management process

Organisations that manage supplier risk informally — through individual knowledge rather than documented process — consistently fail 5.19. If the person managing supplier risk leaves, the process shouldn't leave with them.

Assessments but no follow-up

Many organisations can produce questionnaire responses for their key suppliers. What they can't produce is evidence that identified gaps were tracked and addressed. A finding with no resolution history is evidence of a broken process, not a controlled risk.

One-time contracts with no review mechanism

Signing a DPA or security addendum when a supplier is onboarded satisfies 5.20 at a point in time. But suppliers change — they adopt new sub-processors, update their security practices, or change ownership. Without a review mechanism, your agreements become stale. Auditors will ask when agreements were last reviewed and whether changes to the supplier relationship triggered a reassessment.

No distinction between supplier tiers

Treating all suppliers equally is both impractical and unconvincing. A risk-based approach that applies deeper scrutiny to critical suppliers and lighter-touch review to lower-risk ones is more credible — and more defensible — than a flat programme that nominally covers everyone.

Building a programme that satisfies all four controls

Here's how to structure a supplier risk programme that maps to 5.19–5.22:

• Classify suppliers — define tiers (critical, important, standard) with clear criteria. Assign each supplier to a tier.
• Assess by tier — critical suppliers: detailed annual assessment. Important suppliers: lighter annual assessment. Standard suppliers: biennial or triggered review.
• Document findings — every identified gap becomes a finding with severity, owner, and target resolution.
• Track and close — findings are reviewed at a defined cadence. Closed findings update the supplier's risk profile.
• Report to management — at least annually, a summary of supplier risk status, open critical findings, and trend data goes to a management audience.
• Handle changes — a trigger list for reassessment: supplier ownership change, significant breach, sub-processor addition, service scope change.