GRCWatch
Sign inStart free trial

ISO 27001 Control 5.22: Monitoring, Review and Change Management of Supplier Services

Suppliers are a critical link in your security chain—but they're also a risk vector if left unmonitored. Control 5.22 requires your organization to continuously monitor and evaluate how third parties handle your information security. This control ensures supplier risks don't compromise your compliance posture.

What this means

Your organization must establish ongoing processes to monitor, review, evaluate, and manage changes in how suppliers deliver services and protect information security. This includes tracking supplier security performance, assessing their control effectiveness, and managing any changes to their infrastructure, personnel, or practices that could impact your data.

How to comply

  1. 1.Document all third-party suppliers and their access to your systems or data
  2. 2.Define monitoring criteria (security controls, SLA compliance, incident reporting)
  3. 3.Schedule regular reviews of supplier security performance (quarterly or annually)
  4. 4.Conduct periodic audits or request attestations (SOC 2, ISO 27001 certs, or security assessments)
  5. 5.Establish a change management process to evaluate supplier infrastructure or service updates
  6. 6.Maintain records of monitoring activities, findings, and corrective actions
  7. 7.Define escalation procedures for supplier security incidents or non-compliance

Evidence auditors look for

  • Supplier management policy documenting monitoring requirements
  • Quarterly supplier security assessment reports
  • Third-party audit reports (SOC 2 Type II, ISO 27001 certificates)
  • SLA agreements with defined security and performance metrics
  • Change request logs showing supplier infrastructure or service modifications reviewed
  • Meeting minutes from supplier performance reviews
  • Corrective action plans issued to suppliers with remediation timelines
  • Incident logs showing supplier-related security events and responses

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates supplier monitoring by tracking attestation expiration dates, flagging overdue assessments, and centralizing audit evidence—eliminating manual spreadsheets and missed review cycles.

See how GRCWatch handles this control automatically

Start free trial

Related controls

5.23 — Information security for supplier relationships5.1 — Policies for information security8.34 — Management of information security incidents related to suppliers