Implementation

Supplier Management within ISO 27001: How to Comply with the Annex A Requirement

Information Security
ISO 27001
Vendor Management
NIS2
Checklist
Legislation
Implementation
mkb

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

Anyone who has thoroughly mapped out their suppliers for ISO 27001 quickly realizes that the work has only just begun. Five controls (A.5.19 to A.5.23) collectively govern how you manage suppliers: from policy to contract, from ICT supply chain to cloud providers, and their monitoring. In this blog, we explain which five controls form the supplier management cluster and why NIS 2 further amplifies its importance. Additionally, we discuss in four steps how to concretely demonstrate compliance.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

This article was last updated on
30.06.2026
Written by
Mathijs
Oppelaar
Operational Manager & Partner

The five controls of the supplier management cluster

ISO 27001:2022 includes five Annex A controls that collectively govern supplier management.

 

  • A.5.19 Information security in supplier relationships — you have a policy outlining how you manage suppliers and the security requirements you impose. This is the overarching framework.
  • A.5.20 Information security in supplier agreements — what is stipulated in the contract itself? Examples include: mandatory MFA, encryption requirements, incident reporting obligations, exit arrangements, and audit rights.
  • A.5.21 ICT supply chain security — specific rules for IT suppliers and their subcontractors. Often the most challenging part and the most crucial for NIS2.
  • A.5.22 Monitoring of supplier services — a periodic check to ensure your suppliers continue to deliver what they promised and that their security remains at the required level.
  • A.5.23 Information security for the use of cloud services — specifically for cloud providers. Examples include shared responsibility (which responsibilities lie with you, and which with the provider), security requirements per service, change management on the provider's side, data location, backups, and exit strategy.

 

Auditors examine these five in conjunction. If your policy (5.19) does not align with your contracts (5.20), or if your cloud providers (5.23) are not subject to the same monitoring (5.22), a gap will emerge that becomes visible during the audit. This once again clarifies that ISO 27001 is not a mere checklist, but rather that there is overlap and components are closely interconnected.

 

Why NIS 2 makes this even more challenging

The Dutch Cybersecurity Act (Cbw), the Dutch implementation of NIS2, explicitly imposes supply chain responsibility : you are not only responsible for your own security, but also for that of your suppliers. An incident at one IT supplier can affect hundreds of client organizations. Consider "the software glitch" at Crowdstrike in 2024, which brought air traffic at Schiphol to a standstill.

 

For NIS2-obligated organizations, supplier management is no longer an optional component. Furthermore, directors bear personal responsibility for approving risk measures and overseeing them, with the risk of sanctions, including a temporary management ban for essential entities. But there's also good news: robust supplier management under ISO 27001 largely covers what NIS2 requires. So, don't waste your efforts by developing both separately.

Four steps to make supplier management auditable

Step 1. Inventory all your suppliers

 

Create a supplier list that includes for each supplier: which service they provide, what data they process, what access they have to your systems, and how critical they are to your services. Add two privacy questions for each supplier: do they process personal data? and if so, are they a processor or a (joint) controller? This determines whether a data processing agreement (Art. 28 GDPR) is mandatory in addition to the security contract.

 

Step 2. Classify the risk for each supplier

 

Not every supplier warrants the same regime. For each supplier, you determine the:

 

  • Impact of outage or incident: what breaks in your service delivery?
  • Type of data: personal data, financial, intellectual property, or nothing special?
  • Access level: do they have access to systems, only to logs, or not at all?
  • Single point of failure: can they be replaced, or are you stuck?

 

Based on this, you categorize them: low risk, medium, or high. The regime per category differs in terms of contractual requirements and monitoring frequency.

 

Step 3. Contractually establish the requirements

 

Your supplier agreements (A.5.20) should include at least:

 

  • MFA requirement for access to your systems.
  • Encryption requirements for data in transit and at rest.
  • Reporting obligation for incidents, tailored to the applicable regime. Under GDPR: within 72 hours to the Data Protection Authority if you are the controller; "without undue delay" for a processor to you. Under NIS2: an early warning within 24 hours, a full report within 72 hours, and a final report within one month. Explicitly agree with your supplier which regime they operate under and what timeframe they will provide to you.
  • Right to audit or a verifiable certificate: ISO 27001, SOC 2 Type II, or ISAE 3402 are the most common forms of assurance.
  • Exit arrangements: how do you get your data back and how is it securely destroyed?

 

Does the supplier process personal data? Then an data processing agreement (DPA) is added, with the requirements of Art. 28 GDPR: instructions, confidentiality, sub-processor clause, legal basis for transfers when processing outside the EEA, and the right to audit in accordance with Art. 28(3)(h). For cloud suppliers (A.5.23), an additional layer applies: data location, backup frequency, sub-processors, and exit routes. When cloud suppliers process personal data, ISO 27018 is a relevant assurance signal; ISO 27701 covers the broader PIMS context (Privacy Information Management System).

 

Step 4. Monitor systematically

 

A contract from three years ago is not proof of current security. A lead auditor wants to see that your monitoring frequency is derived from risk criteria, not from a fixed table. A sustainable regime might look something like this:

 

  • High-risk suppliers: annual review with self-assessment or audit report.
  • Medium: biennial check.
  • Low: continuity check without in-depth review.

 

Plus: trigger-based reviews for incidents, scope changes, or M&A activities at the supplier. Document everything. Without evidence, the auditor will consider no monitoring to have taken place.

What an auditor wants to see

A typical audit question: "Show me your three most critical suppliers: what's in their contract, when was their security last verified, and what would happen if they failed tomorrow?" Anyone who can answer that question in a few minutes has their supplier management in order. Anyone who has to search for their supplier list first, does not.

Frequently Asked Questions

 

What is the difference between A.5.19 and A.5.20?

A.5.19 is your policy (how you deal with suppliers). A.5.20 is what is stated in each individual contract. One is the framework, the other is the implementation.

 

How in-depth should my supplier assessment be, and how many/which suppliers should I include?

That depends on your organization. An average SME has dozens to hundreds of suppliers if you include SaaS tools. For smaller organizations, a risk-based top 10 critical suppliers is often audit-acceptable, provided you justify the selection. This only concerns suppliers that impact one of the BIV criteria. Think of suppliers for IT and cloud, data processing, physical access, and data carriers.

 

What if my supplier is ISO 27001 certified?

Their certification is proof that they are in order themselves, but you'll want to verify it based on validity, scope and the VvT. You must also demonstrate that you have assessed that supplier, contractually defined the scope, and monitor them periodically. Do they process personal data? If so, a data processing agreement remains mandatory.

Ready to sharpen your supplier management?

Supplier management is one of the biggest gaps we encounter in audit practice. Feel free to discuss with us your current standing regarding A.5.19 to A.5.23, which suppliers pose the highest risk, and what you can fix in the coming quarter. Schedule a free, no-obligation consultation here.

Want to read more first?

 

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

How many people participate?

Request now

Thanks!
Oops! The form could not be submitted. Please try again.

More resources

ISO 27001

AI as an accelerator or a replacement for your ISO 27001 compliance?

thru
Twan
Kennisartikel
Implementation

How long does an ISO 27001 implementation take? A realistic timeline for your organization

thru
Henry
Kennisartikel
Legislation

AI Assessment Framework for Education: What is it and what should you do with it?

thru
Mathijs
Kennisartikel