A widely used open-source library is compromised through a malicious maintainer update. Within hours, the tampered code runs on thousands of production systems worldwide — including organisations that never directly interacted with the library’s maintainer. A.5.21 addresses precisely this class of risk: threats that propagate through the ICT supply chain.
ICT products and services pass through multiple layers of development, manufacturing and distribution before reaching the organisation. Each layer introduces potential for tampering, compromise or quality degradation. Managing this chain is one of the more demanding controls in Annex A.
What does the standard require?
- Define ICT supply chain security requirements. The organisation must identify security requirements specific to ICT products and services, including requirements that flow down to sub-suppliers.
- Require supplier propagation of controls. Agreements must oblige ICT suppliers to enforce equivalent security measures throughout their own supply chain and to disclose relevant sub-supplier relationships.
- Verify product and service integrity. The organisation must have mechanisms to confirm that delivered ICT products and services meet the agreed security specifications and have not been tampered with during production or transit.
- Monitor supply chain risks. The organisation must stay informed about emerging risks in its ICT supply chain — vulnerability disclosures, compromised components, geopolitical events affecting suppliers.
- Maintain component visibility. The organisation should understand the critical components within its ICT products and services, including open-source dependencies, to enable effective vulnerability management.
In practice
Require SBOMs from software suppliers. A Software Bill of Materials lists every component in a delivered software product, including open-source libraries and their versions. SBOMs enable the organisation to cross-reference components against vulnerability databases (CVE, NVD) and react quickly when a critical vulnerability is disclosed.
Include supply chain clauses in contracts. Beyond standard security requirements (A.5.20), add clauses specific to ICT supply chain risks: disclosure of sub-suppliers, notification of component changes, right to verify product integrity, obligation to pass security requirements down the chain.
Verify deliveries. For hardware, check tamper-evident seals and verify serial numbers against order documentation. For software, verify cryptographic signatures and checksums against the supplier’s published values. Automated integrity checks in CI/CD pipelines catch compromised packages before they reach production.
Monitor vulnerability feeds. Subscribe to vulnerability advisories for the products and components in your inventory. Automated tools (dependency scanners, SBOM analysis platforms) can flag affected components within hours of a new disclosure.
Conduct periodic supply chain risk reviews. At least annually, review the ICT supply chain for changes: new sub-suppliers, shifts in manufacturing locations, end-of-life announcements, geopolitical developments. Adjust risk assessments and controls accordingly.
Typical audit evidence
Auditors typically expect the following evidence for A.5.21:
- ICT supplier and component inventory — mapping of critical ICT products, services and their supply chains
- Supply chain clauses in contracts — evidence of ICT-specific requirements in supplier agreements
- SBOM records — software bills of materials for critical applications
- Integrity verification records — checksums, signature verifications or tamper-seal inspections
- Vulnerability monitoring process — evidence of active monitoring for supply chain-related vulnerabilities
- Supply chain risk review records — documented periodic reviews of ICT supply chain risks
KPI
% of ICT suppliers assessed for supply chain security risks
This KPI measures how many ICT supplier relationships have been assessed specifically for supply chain risks (beyond general supplier security). Unassessed ICT suppliers represent blind spots. Focus initial efforts on suppliers of critical infrastructure and software.
Supplementary KPIs:
- Percentage of software products with a current SBOM on file
- Average time to assess the impact of a newly disclosed supply chain vulnerability
- Number of ICT suppliers with contractual supply chain security clauses
BSI IT-Grundschutz
A.5.21 maps to BSI’s outsourcing module with specific relevance to ICT supply chains:
- OPS.2.3 (Use of outsourcing) — the overarching module for managing security in outsourcing and supplier relationships. It includes requirements for assessing sub-supplier chains, verifying product integrity and ensuring that security requirements cascade through the supply chain.
Related controls
A.5.21 deepens the supplier security framework for ICT-specific risks:
- A.5.19 — Information security in supplier relationships: The broader framework within which A.5.21 operates.
- A.5.20 — Addressing information security within supplier agreements: Provides the contractual vehicle for ICT supply chain requirements.
- A.5.22 — Monitoring, review and change management of supplier services: Ensures ongoing oversight, including changes in the supply chain.
- A.5.23 — Information security for use of cloud services: Cloud services are a major component of the ICT supply chain.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.5.21 — Managing information security in the ICT supply chain
- ISO/IEC 27002:2022 Section 5.21 — Implementation guidance
- BSI IT-Grundschutz, OPS.2.3 — Use of outsourcing