ISO 27001:2022 and the Reorganization of Supplier Controls
When ISO 27001 was revised in 2022, one of the significant structural changes was the reorganization of supplier relationship controls. In the 2013 version, supplier controls lived in Annex A.15 (Supplier relationships), divided into A.15.1 (Information security in supplier relationships) and A.15.2 (Supplier service delivery management). The 2022 revision dispersed and expanded these requirements across multiple clauses: A.5.19 through A.5.23 cover information security in supplier relationships, while A.8.30 addresses outsourced activities.
For security teams advising on ISO 27001:2022 certification or conducting vendor assessments against that standard, understanding this reorganization matters. The 2022 requirements are more granular and more explicit than their 2013 predecessors, particularly regarding the management of cloud service suppliers (A.5.23 is new to the 2022 revision) and the handling of information security incidents within the supply chain.
What the Supplier Relationship Clauses Actually Require
A.5.19: Information security in supplier relationships
This is the foundational supplier control — the requirement to define and implement processes for managing information security risks associated with supplier access to your organization's assets. "Assets" here includes information, systems, and processes — not just data repositories. A supplier who has administrative access to your production infrastructure is within scope of A.5.19 even if they do not directly handle customer data.
The practical audit expectation for A.5.19 is evidence of a formal supplier risk management process: documented procedures for identifying which suppliers require security assessment, criteria for determining assessment scope, and records showing that assessments were actually conducted. A policy document stating that supplier assessments are conducted is not sufficient evidence; you need records demonstrating that assessments occurred and were reviewed.
A.5.20: Addressing information security within supplier agreements
A.5.20 requires that information security requirements be established and agreed with each supplier whose relationship poses risk to your organization. "Agreed" means contractually binding — not just communicated in a questionnaire or noted in a security policy. The clause specifies a set of areas that supplier agreements should address, including classification of information accessible to the supplier, the supplier's security and privacy obligations, incident notification requirements, and the right to audit or assess supplier compliance.
The right-to-audit provision deserves specific attention. Many organizations include it in standard contract language but never exercise it, rendering it an empty clause. Auditors conducting ISO 27001:2022 assessments will ask whether right-to-audit provisions exist for critical suppliers and whether they have been exercised or assessed through alternative means (SOC 2 reports, third-party assessments). The answer needs to be substantive, not theoretical.
A.5.21: Managing information security in the ICT supply chain
This clause addresses the security requirements that your organization communicates to ICT suppliers specifically — software, hardware, and technology service providers in your supply chain. It is distinct from general supplier management in that it acknowledges the particular risks of technology supply chains: software supply chain attacks, hardware component integrity, and the embedded software in devices that may have security implications independent of the application layer.
For most mid-market organizations, A.5.21 translates to: do your software vendors have a documented secure development lifecycle? Do they conduct security testing on their software before release? Is there a process for notifying customers of critical vulnerabilities? These are questions your vendor questionnaire should be covering for any ICT supplier categorized as high-criticality.
A.5.22: Monitoring, review, and change management of supplier services
A.5.22 addresses the ongoing monitoring requirement — the obligation to regularly review supplier performance and security posture against agreed requirements, and to manage changes to supplier services that could affect your security posture. This is where the "point-in-time assessment" model breaks down against ISO 27001 requirements. A questionnaire completed at contract inception and never revisited does not satisfy A.5.22.
The practical implementation requires a defined review cadence for active supplier relationships, a process for triggering out-of-cycle reviews when significant changes occur (supplier acquisition, major platform changes, reported security incidents), and documented evidence that reviews were conducted and findings addressed. The review cadence should be risk-tiered — critical suppliers warrant more frequent review than low-risk ones.
A.5.23: Information security for use of cloud services
A.5.23 is new to the 2022 revision and reflects how significantly cloud services have changed the supplier risk landscape since 2013. It requires that the acquisition, use, management, and exit from cloud services be governed by a defined process that addresses the security implications at each stage. The exit provision is often overlooked: how does your organization ensure data is returned or destroyed when a cloud service relationship ends, and how is access to shared infrastructure revoked?
For vendor assessment purposes, A.5.23 translates to a specific questionnaire domain for cloud service providers covering shared responsibility model documentation, data residency and sovereignty controls, customer data isolation architecture, and contract exit provisions including data portability and deletion certification.
A Practical Assessment Approach for Each Clause
When assessing a vendor against these requirements — either to verify that your vendor meets them, or to verify that your own organization meets them for your customers — the assessment approach differs by clause.
For A.5.19 and A.5.20, the primary evidence is documentation: the supplier risk management policy, supplier contract templates including security clauses, and records of assessments conducted. These are document review items that can be partially addressed through questionnaire responses with document evidence attached.
For A.5.21, technical evidence is required alongside documentation: secure development lifecycle documentation, penetration test executive summaries, vulnerability disclosure policies, and if available, software composition analysis or SBOM (Software Bill of Materials) documentation. Questionnaire items asking about SDLC practices without requesting evidence produce self-attestation only.
For A.5.22, the key evidence is operational records: meeting minutes or reports from supplier review discussions, records of change notifications from suppliers and how they were processed, and any risk acceptance decisions made when supplier service changes introduced new exposures.
For A.5.23, cloud service providers with SOC 2 Type II reports covering the availability, confidentiality, and security trust services criteria provide the strongest evidence base. However, the SOC 2 report covers the cloud provider's controls on their side of the shared responsibility model. Evidence that your organization has correctly implemented controls on its side of that model — access management, data classification, configuration management — requires separate assessment.
What Auditors Look For That Most Programs Miss
The most common finding in ISO 27001:2022 assessments related to supplier controls is the gap between policy and practice. Organizations can typically demonstrate that a supplier security policy exists and that questionnaires were sent to suppliers. Where they struggle is demonstrating that assessment findings were reviewed by someone accountable, that identified gaps were addressed or formally risk-accepted, and that the supplier relationship has been monitored after the initial assessment.
We are not saying that ISO 27001 requires perfect supplier security posture across all vendors. It requires a systematic, documented, and monitored approach to managing the risks that supplier relationships introduce. The distinction is important: the standard is not judging your vendors; it is judging whether you are managing the relationship with appropriate rigor.
For programs building toward ISO 27001:2022 certification, the supplier controls are often the last area to be addressed because they require coordination across security, procurement, and legal — and because the evidence trail spans multiple systems that are not always integrated. Starting the supplier controls evidence collection process at least six months before a certification audit gives programs enough time to address the gaps that are almost always present when they conduct an honest internal assessment.
For cross-framework context — how the ISO 27001:2022 supplier controls compare to NIST CSF 2.0 GV.SC requirements — see our NIST CSF supplier controls checklist.