Managing Information Security in the ICT Supply Chain - ISO 27001 Annex A Control

ISO 27001 Annex A 5.21

ICT supply chains carry risks far beyond the immediate supplier.

ISO 27001 Annex A 5.21 - Managing Information Security in the ICT Supply Chain

The ICT supply chain runs further than the supplier the organisation has a direct relationship with. A cloud provider has its own infrastructure suppliers. A software vendor has open source dependencies and third-party libraries. A hardware manufacturer has component suppliers. Each layer can introduce risk that the organisation has no direct visibility of.

The control asks for the supplier management process to consider this chain rather than stopping at the immediate supplier. That means asking suppliers about their own supply chain practices, looking at how they vet sub-processors and suppliers, and understanding where critical dependencies sit. For software-heavy environments it also means considering the open source components that go into the products in use.

The depth of investigation has to be proportionate. For low-risk services the immediate supplier's standard assurances are usually enough. For critical or sensitive services the questions about the wider chain need to be more direct, and the answers more substantive, particularly where the chain crosses into jurisdictions or providers that introduce additional risk.

Supply chain attacks are one of the harder areas to audit because the visibility runs out quickly past the first supplier. What I look for is whether the organisation has thought about it - asked the right questions of its key suppliers, identified the points where the chain matters most, and recorded any residual risk in the register. Perfect visibility is unrealistic. Considered awareness is achievable.

Practical Compliance Guidance

ICT supply chain considerations sit alongside the broader supplier management approach in the IMS1 Manual at section 8.2. The supplier register and supplier appraisal forms hold the practical record.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-Q9 Supplier Contractor Appraisal	The supplier appraisal form. For ICT suppliers, use the form to capture supply chain considerations including sub-processor arrangements and any concentration of risk in the chain.
ER15 Information Security Risks	This register provides a comprehensive listing and analysis of all Information Security risks and treatments and is intended to be useful and simple to use while also covering all associated requirements of the ISO 27001 standard.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How far down the supply chain do we need to look?

As far as the risk warrants. For most services, asking the immediate supplier about their own supplier management is enough. For critical services or services handling sensitive information, you may need to know specific sub-processors and the controls that apply to them, particularly where international transfers of personal data are involved.

What about open source software dependencies?

For organisations that develop software, the open source supply chain is part of the picture. A software bill of materials, dependency scanning and vulnerability monitoring of dependencies all contribute. For organisations that only consume software, the question becomes how the supplier manages their own dependencies.

How do we evidence supply chain controls?

Through the supplier register noting which suppliers carry supply chain risk, the appraisal records showing the questions asked, and the risk register entries for any residual chain risks. Where critical dependencies have been identified, the contingency arrangements for those dependencies form part of the evidence.

Further Resources