Addressing Information Security within Supplier Agreements - ISO 27001 Annex A Control

ISO 27001 Annex A 5.20

If the contract does not require it the supplier will not provide it.

ISO 27001 Annex A 5.20 - Addressing Information Security within Supplier Agreements

A handshake agreement does not work for information security. The control requires information security requirements to be set out explicitly in the agreements with each supplier, in language that is enforceable and reflects the actual risk of the relationship.

Typical clauses include the supplier's obligations on confidentiality and protection of information, the controls they will apply, the sub-processors they may use, the right to audit, the incident notification process, and the obligations on return or destruction of information at the end of the relationship. Where personal data is involved, the data processing terms required under UK GDPR sit alongside the broader security clauses.

The depth of contractual coverage should match the risk. A supplier providing low-risk generic services may need only standard confidentiality and security clauses. A supplier processing sensitive personal data or running critical infrastructure needs detailed clauses covering controls, evidence, audit rights and incident response.

The contracting moment is the cheapest place to set expectations. Once a supplier is in place, getting them to agree to additional security clauses afterwards is harder and sometimes impossible. The lesson is to put the right clauses in at the start, especially for the suppliers who will handle anything sensitive.

Practical Compliance Guidance

Supplier agreements covering information security are addressed under section 8.2 of the IMS1 Manual on information security arrangements. The supplier register holds the master record of suppliers and the agreements in place.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-IMS42 Key Suppliers Register	The register of key suppliers with the agreements in place. Use to track which suppliers have appropriate information security clauses and where any gaps need closing.
P-37 Supplier Security Policy	The Supplier Security Policy states the company's policy on appraising, monitoring and reviewing suppliers who can provide, access, store or communicate with the company's IT infrastructure components.
PP-1-09 Supplier Appraisal Policy Procedure	Policy-procedure on supplier appraisal detailing the arrangements in place to manage the appraisal of suppliers against key criteria, to ensure they have both the capacity and capability to fulfil business needs prior to working with us and for ongoing review and appraisal of the performance of existing suppliers.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What clauses should every supplier agreement include?

As a minimum, confidentiality, the supplier's obligation to protect information they handle, restrictions on subcontracting, incident notification, return or destruction at end of contract, and the right to seek evidence of compliance. The exact list depends on the relationship and the risk.

What about existing suppliers without these clauses?

Renewal or extension is the natural moment to update the agreement. Where renewal is not imminent, a side letter or addendum can be used to add the necessary clauses. The risk register should record any supplier where the contractual position is weaker than the risk would warrant.

Do we need a separate agreement or can it be part of the main contract?

Either approach works. Many organisations include security clauses within the main service agreement as standard clauses or as a security schedule. Others use a separate information security agreement or data processing agreement, particularly where personal data is involved. The auditor cares about coverage rather than format.

Further Resources