ISO 27001 A.5.20: Addressing information security within supplier agreements
What This Control Requires
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
In Plain Language
A handshake and a generic NDA are not enough. If a supplier breaches your data and the contract does not spell out their security obligations, you have very little recourse.
While A.5.19 covers the overall approach to supplier security risk, this control zooms in on what actually goes into the agreements. The security clauses need to be tailored to the relationship - a cloud hosting provider needs very different contractual protections than a cleaning company or a consultancy.
These agreements are your legal foundation for holding suppliers accountable. They should cover what the supplier must protect, how they must report incidents, how you can verify compliance, and what happens when things go wrong.
How to Implement
Create a library of standard security clauses that can be mixed and matched for different supplier types. Get legal counsel involved early to make sure they are enforceable in your jurisdiction.
Core security requirements for agreements: what information is being accessed or processed and its classification, specific controls the supplier must have in place (encryption, access control, monitoring), compliance with applicable laws and regulations (GDPR and industry-specific rules), incident notification obligations with clear timeframes (typically 24-72 hours), right to audit or receive audit reports, restrictions on sub-processing and requirements for the supplier's own supply chain, data residency and cross-border transfer rules where relevant.
Also cover: business continuity and disaster recovery expectations, data backup and retention, secure disposal of data when the contract ends, personnel security requirements for supplier staff who have access, change management notifications for anything affecting security, intellectual property protection, and liability for breaches.
For cloud providers specifically, add clauses on: multi-tenancy and data segregation, encryption at rest and in transit, identity and access management, logging and monitoring capabilities, data portability and exit strategy, and SLAs for availability and security metrics.
Make sure the security team reviews every agreement that involves access to or processing of organisational information before it gets signed. Keep a register of active agreements and their security provisions. Review existing agreements periodically - relationships evolve and contracts should keep pace.
Evidence Your Auditor Will Request
- Template security clauses used in supplier agreements
- Signed supplier agreements containing relevant security requirements
- Records of security review and approval of supplier agreements
- Register of active supplier agreements with security provision summaries
- Evidence of agreement reviews and updates for existing supplier relationships
Common Mistakes
- Supplier agreements do not contain specific security requirements beyond generic confidentiality clauses
- Security team does not review supplier agreements before signing
- Agreements do not include incident notification obligations or right to audit
- One-size-fits-all approach where the same clauses are used regardless of supplier risk level
- Agreements are signed but not revisited or updated as the relationship changes
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC9.2 | Related |
| GDPR | Art.28 | Equivalent |
| NIS2 | Art.21(2)(e) | Related |
Frequently Asked Questions
What if a large supplier will not agree to our security clauses?
Do we need separate security agreements or can they be part of the main contract?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment