GRCWatch
Sign inStart free trial

ISO 27001 Control 5.21: Managing Information Security in the ICT Supply Chain

Your organization's security is only as strong as your weakest vendor. ISO 27001 control 5.21 requires you to identify, assess, and continuously monitor information security risks throughout your entire ICT product and services supply chain. Without a structured supply chain security program, vulnerabilities can slip through third-party relationships and compromise your most critical assets.

What this means

Control 5.21 mandates that organizations establish formal processes and procedures to manage security risks associated with ICT products and services obtained from external suppliers and vendors. This includes assessing supplier security practices, defining contractual security requirements, monitoring supplier compliance, and maintaining oversight of the entire supply chain lifecycle. The control recognizes that outsourced ICT components introduce new risk vectors that must be actively managed to maintain your organization's overall information security posture.

How to comply

  1. 1.Document and maintain a comprehensive ICT supply chain inventory identifying all suppliers, products, and services used across your organization
  2. 2.Establish security assessment criteria and evaluate suppliers against ISO 27001 requirements or equivalent security standards before engagement
  3. 3.Include specific information security requirements and clauses in all contracts with ICT vendors and service providers
  4. 4.Implement a vendor risk assessment process that evaluates the security maturity, certifications, and controls of each supplier
  5. 5.Define monitoring procedures to ensure ongoing supplier compliance with agreed security requirements throughout the contract term
  6. 6.Establish incident reporting and notification requirements requiring vendors to inform you of security breaches or vulnerabilities within defined timeframes
  7. 7.Conduct regular audits and assessments of critical suppliers, with frequency based on risk assessment findings
  8. 8.Maintain documented evidence of all supply chain security reviews, assessments, and corrective actions taken

Evidence auditors look for

  • ICT supply chain risk assessment documentation with identified suppliers and risk ratings
  • Vendor security evaluation questionnaires and assessment reports from supplier onboarding
  • Master service agreements and contracts showing embedded information security requirements and clauses
  • Supplier security policies and certifications (ISO 27001, SOC 2, etc.) on file
  • Vendor management policy documenting supply chain security governance and roles
  • Audit schedules and reports from periodic supplier security assessments
  • Evidence of security requirements communicated to suppliers and acknowledgment of acceptance
  • Vendor performance metrics showing compliance monitoring against security KPIs
  • Incident reports from suppliers and records of remediation actions

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's vendor risk assessment module automates ICT supply chain evaluation, tracks assessment schedules, and maintains compliance evidence—eliminating manual spreadsheets and ensuring no vendor slips through oversight.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 4.2 - Understanding the needs and expectations of interested partiesISO 27001 8.1 - Operational planning and controlISO 27001 A.5.19 - Acquisition, development and maintenance of information systems and applications