ISO 27001 controls: What is Annex A:15?

Understand how to manage supplier relationships with ISO 27001 Annex A:15. Explore essential controls to improve security and efficiency. Keep reading for insights from Citation Certification on attaining ISO 27001:2013 compliance.
ISO 27001 controls: What is Annex A:15?

ISO 27001 is an internationally recognised Information Security Management System (ISMS) standard.

ISO 27001 Controls under Annex A:15 – Supplier Relationships – focus on controlling the risks associated with supplier-organisation relationships and managing these accordingly to ensure your operations and customer information remain protected.


Security used to be an inconvenience sometimes, but now it’s a necessity all the time. – Martina Navratilova


The main goal of managing supplier relationships under ISO 27001 Controls is to improve business processes between you and your suppliers. By creating a streamlined approach, you enhance efficiency for both your business and your suppliers. This is a crucial clause if you are aiming for ISO 27001:2013 certification. Let’s delve into the requirements and what they entail.


Annex A:15 Supplier relationships

Annex A:15.1 Information security in supplier relationships

This clause explains the information security requirements in supplier relationships. Suppliers automatically gain access to a company’s information, which necessitates measures to protect your organisation from unauthorised access.


Annex A:15.1.1 Information security in supplier relationships

The supplier should agree to and document information security requirements related to the risk of access by suppliers to organisation assets. Before providing access, a risk assessment should be conducted. The organisation must identify and include required security information controls in the policy.

These controls may include:

    • Identification and reporting of supplier forms, e.g. IT services, financial services, etc., accessible to the organisation
    • Controls over the accuracy and completeness of information transmitted by either party
    • Resilience and recovery plans to ensure the availability of information or processing
    • Training for staff on applicable policies, processes, and procedures
    • Training for staff on interactions with supplier staff, based on provider type and access level
    • A legal contract signed by both parties to maintain relationship integrity

Annex A:15.1.2 Addressing security within supplier agreements

Suppliers that view, process, store, communicate, or provide IT infrastructure component information for the organisation should agree to all applicable information security requirements. This clause involves defining and accepting obligations, securely recording them under a relevant documented policy, and giving the organisation the right to audit the supplier and its subcontractors.

Annex A:15.1.3 Information and communication technology supply chain

Supplier agreements should contain provisions to mitigate information security risks associated with IT services and the product supply chain. Suppliers must communicate any risk of information security breaches and how they managed and resolved these risks. Effective supplier relations control requires using essential services to track the entire supply chain.


Annex A:15.2 Supplier service delivery management

Annex A:15.2 focuses on ensuring that supplier services comply with information security requirements. It outlines the controls and processes needed to monitor, review, and manage changes in supplier services, maintaining service integrity and security.


Annex A:15.2.1 Monitoring and review of supplier services

The main objective is to maintain an agreed level of information security and service delivery in compliance with supplier agreements. This involves:

    • Surveillance of service performance to verify agreement compliance
    • Reviewing supplier service reports and scheduling regular progress meetings
    • Conducting supplier audits and following up on reported problems
    • Reviewing safety incidents, guidelines, and procedures
    • Analysing audit and information security reports, operational issues, and service-related disturbances

Annex A:15.2.2 Managing changes to supplier services

Any changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, must be managed. This includes considering the criticality of business information, systems, and processes involved, and re-assessing risks.

An implementation guide plan for supplier services in case of changes is necessary. Any modifications, improvements, or changes in technology or supplier responsibilities must be covered under the supplier management policy.

Certification made simple

For more information on achieving ISO/IEC 27001 Information Security Management Systems certification, contact Citation Certification today.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.