Monitoring, Review and Change Management of Supplier Services - ISO 27001 Annex A Control

ISO 27001 Annex A 5.22

Supplier relationships need active management - not just contract signing.

ISO 27001 Annex A 5.22 - Monitoring, Review and Change Management of Supplier Services

The supplier relationship does not end when the contract is signed. Services evolve. Suppliers go through their own organisational changes - acquisitions, restructures, new sub-processors, new certifications expiring. Without active oversight, the security position at contract signing slowly diverges from the security position today.

The control asks for ongoing review proportionate to the risk. Critical suppliers might warrant a structured annual review with documented evidence of their current controls. Less critical suppliers might warrant only confirmation that the position has not materially changed. Either way, the review needs to happen on a defined cycle and the outcome needs to be recorded.

Change management is the active half. When a supplier announces a new sub-processor, a change of location, an acquisition, or significant change to their service, the organisation needs a way of picking that up and assessing the impact. Some changes will be neutral, some will improve the position and some will introduce new risk that needs treatment.

The most useful question for ongoing supplier review is what has changed since we last looked. New sub-processors, new locations, expired certificates, new service tiers, recent incidents. If the answer is nothing, the existing position holds. If something has changed, that change becomes the focus of the review.

Practical Compliance Guidance

Ongoing supplier monitoring forms part of the supplier management approach described in the IMS1 Manual in section 8.2. The supplier register and periodic supplier appraisals provide the evidence trail.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists.
F-Q9 Supplier Contractor Appraisal	The appraisal form used for periodic supplier review. Use the form on the defined cycle for each supplier and record the outcome including any actions arising.
ER15 Information Security Risks	This register provides a comprehensive listing and analysis of all Information Security risks and treatments and is intended to be useful and simple to use while also covering all associated requirements of the ISO 27001 standard.
P-37 Supplier Security Policy	The Supplier Security Policy states the company's policy on appraising, monitoring and reviewing suppliers who can provide, access, store or communicate with the company's IT infrastructure components.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should suppliers be reviewed?

At a frequency proportionate to risk. Critical suppliers handling confidential information typically get annual structured review. Less critical suppliers may be reviewed less often. Some changes in supplier circumstances should also trigger a review outside the planned cycle.

What changes should trigger an out-of-cycle review?

Changes in the supplier's ownership, significant change to the service being received, change in sub-processors particularly to new jurisdictions, supplier security incidents, expiry of relied-on certifications, or significant change to the data being shared with the supplier. Any of these warrants a fresh look.

What evidence do we need to keep from supplier reviews?

A record of the review, what was covered, what evidence was looked at, what conclusions were drawn and any actions arising. For higher-risk suppliers, copies of the evidence reviewed - certifications, audit reports, security questionnaire responses - should be kept. The audit will sample these to confirm reviews are happening.

Further Resources