ISO 27001 requires supplier management. Most companies aren't ready when the auditor asks.

ISO 27001 was substantially updated in 2022 — the first major revision since 2013. The changes to supplier and third-party risk management were among the most significant. If you're working from templates, blog posts, or consultant guidance written before 2022, your supplier management programme may not satisfy the current standard.

ISO 27001:2022 Annex A groups supplier management under Theme 5 (Organisational controls). Here are the four specific controls, what they require, and what evidence an auditor will look for when testing each one.

These four controls work as a system: A.5.19 establishes your policy and process, A.5.20 ensures your contracts support your requirements, A.5.21 extends your visibility into the supply chain, and A.5.22 ensures the whole thing operates continuously rather than as a one-time exercise.

Understanding what an ISO 27001 auditor is actually looking for — as opposed to what the control says on paper — is the key to being genuinely prepared. Auditors assess both design (does your process make sense?) and operation (does evidence show it's actually working?). Here's how they approach each of the four supplier controls:

For A.5.19 — Supplier relationships policy

Auditors will ask to see your supplier management policy and will then test whether it's actually being followed. They'll review a sample of recently onboarded suppliers to check whether your policy's requirements were applied — risk classification, initial assessment, agreement review. A policy that says the right things but isn't evidenced in practice will result in a finding.

For A.5.20 — Security in agreements

Auditors will sample your supplier agreements — particularly for critical suppliers — and check for specific security provisions. They're looking for data protection clauses, breach notification obligations, security standards (either requiring certification or specifying requirements), and your right to audit or receive assurance. Standard terms of service without specific security provisions rarely satisfy this control for critical suppliers.

For A.5.21 — ICT supply chain

This is the control that catches most organisations off guard, particularly at first certification. Auditors will ask how you manage the security of your ICT supply chain — meaning how you handle the fact that your cloud provider, your SaaS tools, and your data processors all have their own supply chains. You don't need to audit AWS's suppliers, but you need to demonstrate that you've considered ICT supply chain risk and have a proportionate approach to managing it — typically by reviewing your critical suppliers' sub-processor lists and their own certification status.

For A.5.22 — Ongoing monitoring

This is where most organisations with good initial assessments fall down in surveillance audits. An auditor will ask for evidence of supplier reviews conducted during the audit period — not policies about when reviews should happen. They want to see that monitoring is happening: that security incidents affecting your suppliers are being tracked, that certifications are being checked on renewal, that contract expiries are being managed. Without a system generating this evidence automatically, it’s very hard to demonstrate consistently.

• No formal supplier register. The starting point for all four controls is a complete, classified list of your suppliers. Without one, an auditor has no baseline to assess. The register needs to include not just your software vendors but contractors, data processors, facilities providers — anyone whose failure or compromise could affect your information security.
• Contracts without security provisions. Standard vendor terms of service don't satisfy A.5.20. Auditors will ask to see the specific security-related clauses in your critical supplier agreements. If you're relying on a SaaS vendor's published terms without ensuring they address your security requirements, this will be raised as a finding.
• No ICT supply chain visibility. A.5.21 is the control most newly caught out by the 2022 revision. Auditors want to see that you've identified which of your ICT suppliers have sub-processors, reviewed their sub-processor lists for material risk, and considered the concentration risk in your technology stack. This doesn't require exhaustive mapping, but it does require demonstrated awareness and a proportionate response.
• No evidence of ongoing monitoring. Annual certification and surveillance audits both require evidence that monitoring is happening — not just that a policy says it should. If you can't show dated records of supplier reviews, breach monitoring, or certificate renewal checks, A.5.22 will be flagged. “We check when we remember” is not a process an auditor can certify.
• Offboarding gaps. A.5.19 includes supplier offboarding — what happens when a supplier relationship ends. Auditors will ask about your process for revoking access, retrieving or destroying data, and closing out agreements. Many organisations have onboarding processes but no documented offboarding — leaving a trail of former suppliers with potentially active credentials.

A compliant ISO 27001 supplier management programme doesn't need to be complex — it needs to be complete, documented, and operating consistently. Here's what that looks like across each of the four control areas:

Supplier register and classification (A.5.19)

Your starting point is a register of every supplier relationship within scope of your ISMS. This includes technology suppliers (cloud infrastructure, SaaS, software), professional services firms with access to your systems or data, contractors and consultants with system access, and any processors or sub-processors handling personal data. Each supplier should be classified by criticality — typically a simple Critical/High/Medium/Low framework — which then determines the depth of assessment and frequency of review applied. The classification also determines the level of security requirements you need in the supplier agreement.

Security requirements in agreements (A.5.20)

For critical and high-risk suppliers, your agreements need to explicitly address: data protection and processing obligations (a DPA if they handle personal data), the security standards you expect them to maintain or certify against, their obligations to notify you of security incidents within a defined timeframe, your right to audit or receive third-party certification as assurance, and the consequences of security failures including liability provisions. Getting these provisions in place is a one-time effort per supplier and can often be achieved through a mutual security addendum rather than renegotiating the entire contract.

ICT supply chain visibility (A.5.21)

For your critical ICT suppliers — particularly cloud providers and SaaS platforms that handle your data — you should be reviewing their sub-processor or fourth-party disclosure lists and considering any material risk from concentration or geography. Most major cloud providers publish this information. The goal isn't exhaustive supply chain mapping, it's demonstrating that you've identified where your material ICT supply chain risks are and have a proportionate approach to managing them.

Ongoing monitoring and annual reviews (A.5.22)

Monitoring needs to happen continuously and be evidenced. At minimum, this means: reviewing critical supplier security certifications at their annual renewal, tracking security incidents that affect your suppliers, monitoring for sanctions or ownership changes that might affect supplier risk, managing contract renewals and expiries, and conducting formal supplier reviews at least annually. Without a system that automates and timestamps this monitoring, generating audit evidence for a twelve-month surveillance period is an enormous manual effort.

Vendorapp maps directly onto the evidence requirements of A.5.19 through A.5.22. Every feature produces output that an auditor can review — and everything is timestamped, never deleted, and exportable in minutes.

1. 1

   Build a complete, classified supplier register (A.5.19)

   Search 22M+ suppliers by name or URL. Add every supplier in your ISMS scope — cloud, SaaS, contractors, subprocessors — and classify each by risk level. Vendorapp's risk classification framework maps directly to what ISO 27001 auditors expect to see. Your register stays current automatically as suppliers are added, reviewed, and offboarded.

2. 2

   Centralise agreements with security provisions (A.5.20)

   Upload supplier contracts and Vendorapp Intelligence extracts key terms automatically — contract type, value, expiry, renewal terms. Your DPAs, security addenda, and breach notification clauses are stored alongside each supplier profile. Auditors can see at a glance which suppliers have compliant agreements and which need attention — before the audit, not during it.

3. 3

   Assess and document ICT supply chain risk (A.5.21)

   Vendorapp Intelligence runs security posture assessments on every supplier in your register, flagging areas of concern in their own security posture and surfacing their certification status. For your critical ICT suppliers, the inherent and residual risk scoring creates the documented, evidence-based assessment of supply chain risk that A.5.21 requires.

4. 4

   Monitor continuously with a full audit trail (A.5.22)

   Continuous screening against OFAC, UN, EU, UK OFSI, and DFAT sanctions lists runs automatically on every supplier. Smart alerts notify you of security incidents, sanctions changes, certificate expiries, and contract renewals. Every alert, every check, and every review is timestamped and stored — giving you twelve months of monitoring evidence for your surveillance audit without any manual effort.

5. 5

   Export audit-ready evidence packs

   When your certification body asks for supplier management evidence, generate a complete report in three clicks. Vendorapp produces board-ready and auditor-ready outputs covering your full supplier register, risk assessments, monitoring history, contract status, and audit trail. Offboarded suppliers are preserved in your history — never deleted — satisfying the offboarding evidence requirement automatically.

What your certification body will be able to see

• Complete supplier register with risk classifications (A.5.19)
• Evidence of supplier onboarding and offboarding process (A.5.19)
• Contract register with security provisions and DPA status (A.5.20)
• Security posture assessments for ICT suppliers (A.5.21)
• ICT sub-processor visibility and supply chain risk records (A.5.21)
• Continuous sanctions and watchlist screening history (A.5.22)
• Security incident and breach monitoring records (A.5.22)
• Timestamped supplier review history across the audit period (A.5.22)
• Full audit trail of all changes, assessments, and decisions

If you're starting from scratch or significantly behind on your supplier management programme, here's a practical sequence that gets you to audit-ready efficiently.

Step 1: Define your scope

Your supplier register should cover all suppliers within your ISMS scope — not every company your organisation pays money to. Start by asking: which suppliers have access to information assets within scope? Which process, store, or transmit data that’s within scope? Which provide services that, if disrupted, would affect your information security? These are your in-scope suppliers.

Step 2: Compile your initial register

Pull together your list from the obvious sources: your procurement records, your cloud and SaaS subscriptions, your contractor agreements, your data processor register if you maintain one for GDPR purposes. Then do a more thorough sweep — check who has API credentials, who has access to your production environment, what’s integrated into your infrastructure. The long tail is where auditors find gaps.

Step 3: Classify by risk

For each supplier, assign a risk classification. A simple framework: Critical (has direct access to production systems or handles sensitive personal data at scale), High (has access to internal systems or handles personal data), Medium (has access to non-sensitive internal information), Low (provides a service with no direct system or data access). Apply proportionate controls to each tier.

Step 4: Assess your critical and high-risk suppliers

For Critical and High suppliers, run a formal risk assessment: what data do they access? What's their security posture — do they hold SOC 2, ISO 27001, or equivalent? Have they had relevant security incidents? What's your concentration risk if this supplier failed or was compromised? Document the assessment with a date and your risk conclusion.

Step 5: Review your agreements

For each Critical and High supplier, review whether your agreement addresses information security. If it doesn't — or if you're relying on standard terms of service — prioritise getting a security addendum or DPA in place. For Medium suppliers, check at minimum whether there's a DPA if they handle personal data.

Step 6: Set up ongoing monitoring

The difference between a one-time exercise and a compliant programme is ongoing monitoring. Set up a process — or better, a tool — that tracks contract expiries, security certifications renewals, sanctions status changes, and security incidents affecting your suppliers. This monitoring needs to generate evidence, not just happen in someone's head.