Inverifi logo

ISO 27001

Annex A.15 - Supplier Relationships

Get compliant with ISO 27001 – Annex A.15 and simplify compliance for your organisation.

To protect and secure any assets which can be accessed by suppliers and to maintain the agreed level of service delivery and information security

A.15.1 – Information security in supplier relationships

It’s about information security in supplier relationships. Include information security policy for suppliers. Addressing security within supplier agreements Information and communication technology supply chain relationships.

A.15.1.1 Information security policy for supplier relationships

The supplier should be agreed with and documented information security requirements relating to the risk of access by suppliers to the organisation’s property. If any organisation wants to provide access to its supplier, the risk assessment should be done. The organisation must identify and involve required security information controls in the policy.


When an organisation create policies to cover this topic the following should be considered;


  • Have the suppliers that provide service to the organisation clearly identified; such as finance or IT services.
  • Controls must be in place to ensure the information shared between parties is correct and certain.
  • Recovery and contingency plan in place and ensuring all parties involved have access to this information.
  • People involved in acquisition should be aware of the policies in place, procedures and process.
  • A legal contract must be signed by parties involved to safeguard the integrity of the relationship.

A.15.1.2 Addressing security between supplier agreement

Security requirements should be agreed upon by any supplier that views, processes, stores, communicates or delivers IT infrastructure components information to the business.

The policies underlying this should include;

A.15.1.3 Information and communication technology supply chain

In your supplier agreement most of the precautions included for physical supply chains will apply to digital ones. Needs to include obligations to reduce the security risk associated with IT services and the product supply chain.


Suppliers are required to report the actions taken to minimise any type or risk, even the minor risk, and the process to eliminate these risks.


Risks of doing business with external parties should be always taken into account, ensuring suppliers handle confidential or high-risk data and align with what is documented in your policy.

A.15.2 – Supplier service delivery management

This annex is about supplier service delivery management. Including monitoring and review of supplier services and managing changes to supplier services.

A.15.2.1 Monitoring and review of supplier services

Actions to monitor, review, and audited supplier service delivery on a regular basis by companies should be in place . Information security policies must be followed and information security incidents and problems must be effectively handled and reported through regular monitoring and assessment of service providers.

This should cover;

  • Agreement compliance verification.
  • Review the supplier’s service report and plan regular meetings to follow progress.
  • Carry out supplier audits and follow-up on problems reported.
  • Information on safety incidents as specified in agreements and any applicable standards and procedures should be accessible and reviewed.
  • Analysing audits and information security reports and any other related issue the supplier has reported in the past.

A.15.2.2 Managing changes to supplier services

Any alteration to the provision of services by suppliers, including maintaining and improving existing information security policies, procedure and control, should be managed in line with the criticality of business information, systems and process involved.


Any modification, improvements or change of use of technology , changes in supplier responsibility must be covered under supplier management policy.