GRCWatch
Sign inStart free trial

ISO 27001 Control 5.20: Addressing Information Security within Supplier Agreements

Your suppliers are extensions of your security perimeter. ISO 27001 5.20 requires you to establish clear information security requirements in every supplier agreement based on relationship type and risk level. Without proper supplier controls, even the strongest internal security can be compromised.

What this means

Control 5.20 mandates that organizations define and agree upon information security requirements with each supplier. These requirements must be tailored to the specific supplier relationship type (critical, standard, or limited access) and proportionate to the security risks they present. This ensures suppliers maintain adequate safeguards for your data and systems they access or handle.

How to comply

  1. 1.Classify suppliers by relationship type and assign risk levels based on data access, system criticality, and operational impact
  2. 2.Develop supplier-specific information security requirements addressing confidentiality, integrity, availability, and compliance obligations
  3. 3.Include security clauses in all supplier contracts covering data protection, access controls, incident reporting, and audit rights
  4. 4.Document agreed-upon security requirements and obtain signed acknowledgment from each supplier
  5. 5.Conduct initial security assessments of critical suppliers before granting access
  6. 6.Establish ongoing monitoring and periodic re-assessment schedules aligned to risk profiles
  7. 7.Define remediation processes for non-compliance and termination conditions for persistent violations

Evidence auditors look for

  • Supplier classification matrix documenting risk levels and corresponding security requirement sets
  • Signed supplier agreements with embedded information security clauses and appendices
  • Security questionnaires completed and approved by suppliers
  • Pre-engagement security assessment reports for critical or high-risk suppliers
  • Supplier audit logs, assessment results, and compliance certifications (ISO 27001, SOC 2, etc.)
  • Documented remediation plans addressing identified supplier security gaps
  • Supplier risk register tracking ongoing compliance status and review dates
  • Evidence of contract amendments when security requirements are updated

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates supplier risk classification, generates pre-populated security requirement templates, and tracks agreement signatures and assessment schedules—eliminating manual spreadsheets and ensuring no supplier agreement falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.19 — Information Security in Customer RelationshipsISO 27001 5.23 — Information Security for Use of Supplier ICT ServicesISO 27001 4.2 — Understanding the Needs and Expectations of Interested Parties