A.5.20 — Addressing Information Security Within Supplier Agreements

A contract with a payroll provider runs to 30 pages but contains exactly zero references to information security. No encryption requirements, no incident notification clause, no audit right, no data destruction obligation at contract end. A.5.20 closes this gap: every supplier agreement that involves access to the organisation’s information must include documented security requirements.

Where A.5.19 defines the organisation’s overall approach to supplier security, A.5.20 ensures that approach is anchored in legally binding agreements.

Purpose: To maintain an agreed level of information security and privacy in supplier relationships.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: ISMS.1.A5, OPS.2.3.A4, OPS.2.3.A6, OPS.2.3.A13, OPS.2.3.A14, OPS.2.3.A21, OPS.2.3.A24, DER.2.2.A13, OPS.3.2.A2, OPS.3.2.A3, OPS.3.2.A16
KPI: % of supplier contracts containing documented IS requirements

Responsible	Information Security Officer / (C)ISO
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Department Head, Facility Manager, HR Manager, Head of IT, IT Security Officer, Incident Response Team, Information Security Officer / (C)ISO, Internal Auditor, Legal Counsel, Risk Owner, Supply Chain Manager
Informed	Asset Owner, Department Head, Head of IT, IT Administrator, IT Security Officer, Incident Response Team, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Supply Chain Manager

What does the standard require?

Include security requirements in agreements. Every agreement with a supplier that accesses, processes, stores, communicates or provides infrastructure for organisational information must contain relevant information security requirements.
Define responsibilities clearly. The agreement must specify which security controls are the supplier’s responsibility, which are the organisation’s and how the shared responsibility model works in practice.
Address the full contract lifecycle. Security clauses must cover the entire relationship: onboarding, ongoing operations, changes in scope, incident handling and termination (including data return or destruction).
Establish audit and monitoring rights. The organisation must retain the right to audit or otherwise verify the supplier’s compliance with the agreed security measures.
Cover sub-contracting. If the supplier uses sub-contractors, the agreement must require equivalent security controls down the chain and the organisation’s right to approve sub-contracting arrangements.

In practice

Develop a security annex template. Draft a standard security annex that can be appended to any supplier contract. Include sections for: scope of information accessed, classification requirements, security controls, incident notification (including maximum response time), audit rights, sub-contractor provisions and termination obligations.

Tailor requirements to the risk tier. Critical suppliers (cloud providers, payroll processors, IT outsourcers) receive the full security annex. Standard suppliers with limited access may receive a shortened version covering the essential clauses.

Involve legal counsel and information security early. Both functions should review supplier agreements before signing. Legal ensures enforceability; information security ensures completeness. Late involvement leads to unsigned contracts being renegotiated after the fact.

Track contract coverage. Maintain a register that maps each active supplier to its contract and records whether the required security clauses are included. Flag contracts that predate the security annex programme and prioritise them for amendment.

Plan for contract renewal. Use contract renewal as an opportunity to update security requirements. Standards evolve, the threat landscape changes and the scope of the supplier relationship may have shifted. Every renewal is a checkpoint.

Typical audit evidence

Auditors typically expect the following evidence for A.5.20:

Security annex template — the standard set of security clauses used in supplier agreements
Signed agreements — contracts with security annexes attached, especially for critical suppliers
Contract coverage register — overview showing which contracts include security requirements and which are pending amendment
Audit right documentation — evidence that the organisation has exercised or can exercise its audit rights
Sub-contractor approval records — evidence that sub-contracting arrangements have been reviewed and approved
Termination checklists — evidence that offboarding obligations (data return, access revocation) were fulfilled for ended contracts

KPI

% of supplier contracts containing documented IS requirements

This KPI measures how many active supplier agreements include the required information security clauses. Contracts without these clauses represent unmitigated contractual risk. The target depends on the maturity stage: newly certified organisations may start at 70-80% and work toward 100% over two renewal cycles.

Supplementary KPIs:

Percentage of critical supplier contracts with full security annex
Number of legacy contracts pending amendment
Average time to finalise a security annex during contract negotiation

BSI IT-Grundschutz

A.5.20 maps to an extensive set of BSI requirements for outsourcing contracts:

OPS.2.3.A4 (Contractual provisions for outsourcing) — requires that security requirements are contractually anchored with the outsourcing partner.
OPS.2.3.A6 (Creating a security concept for outsourcing) — demands a dedicated security concept that feeds into contractual requirements.
OPS.2.3.A13 / A14 (Security during operation / Change management) — ongoing security obligations during the contract term.
OPS.2.3.A21 / A24 (Audit and inspection rights / Termination) — the right to audit the supplier and specific obligations when the contract ends.
ISMS.1.A5 (External advice on information security) — ensures that external advisors are also bound by security requirements.

A.5.20 is the contractual anchor for the supplier security cluster:

A.5.19 — Information security in supplier relationships: Defines the strategic requirements that A.5.20 translates into contractual clauses.
A.5.21 — Managing information security in the ICT supply chain: Extends contractual security to the ICT sub-supplier chain.
A.5.22 — Monitoring, review and change management of supplier services: Verifies that suppliers actually meet the contractual requirements.
A.5.18 — Access rights: The access provisions in supplier agreements must align with the organisation’s access rights management.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.20 — Addressing information security within supplier agreements
ISO/IEC 27002:2022 Section 5.20 — Implementation guidance
BSI IT-Grundschutz, OPS.2.3 — Use of outsourcing

Frequently asked questions

What must a supplier agreement contain at minimum?

At minimum: description of information to be accessed, classification requirements, security controls expected from both parties, incident notification obligations, audit rights, data return or destruction upon termination and liability provisions. The exact scope depends on the risk tier of the supplier.

Can a Data Processing Agreement (DPA) replace a security annex?

A DPA covers GDPR obligations and is mandatory when personal data is processed. It does not replace information security requirements under ISO 27001. In practice, many organisations combine both into a single annex that addresses privacy and security together.

How do I handle suppliers who insist on their own standard terms?

Review the supplier's terms against your security requirements. Where gaps exist, negotiate supplementary clauses or a security annex. If the supplier will not agree to essential controls, document the residual risk and obtain management approval or select an alternative supplier.