A.5.22 — Monitoring, Review and Change Management of Supplier Services

A cloud provider quietly migrates customer data to a data centre in a different jurisdiction. A managed-service supplier replaces its security monitoring tool without notifying clients. A critical supplier’s ISO 27001 certificate expires, and nobody in the organisation notices for six months. A.5.22 exists to prevent these blind spots: supplier services must be monitored, reviewed and subject to change management throughout the relationship.

Signing a contract with security clauses is a starting point. Without ongoing oversight, there is no assurance that the supplier continues to meet the agreed standards.

Purpose: To maintain an agreed level of information security and privacy and service delivery in line with supplier agreements.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: OPS.2.3.A18, OPS.3.2.A9
KPI: % of suppliers with regular IS performance reviews conducted on schedule

Responsible	Supply Chain Manager
Accountable	Information Security Officer / (C)ISO
Consulted	Data Protection Officer, Head of IT, IT Security Officer, Incident Response Team, Information Security Officer / (C)ISO, Internal Auditor, Legal Counsel, Software Development Lead, Supply Chain Manager
Informed	Department Head, Head of IT, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Supply Chain Manager

What does the standard require?

Monitor supplier service delivery. The organisation must track whether the supplier delivers services in accordance with the agreed security and service levels.
Review supplier security performance. At planned intervals, the organisation must assess the supplier’s compliance with the agreed information security requirements. This includes reviewing audit reports, certifications and incident records.
Manage changes to supplier services. Changes in the supplier’s services, technology, infrastructure, sub-contracting arrangements or policies must be assessed for their impact on the organisation’s information security before they take effect.
Handle supplier incidents. The organisation must have processes to manage security incidents that originate from or involve supplier services, including escalation, communication and root-cause analysis.
Maintain audit trail. All monitoring activities, review outcomes, change assessments and incident records must be documented.

In practice

Build a supplier review calendar. Based on the risk tier from A.5.19, set review frequencies: quarterly for critical suppliers, annually for significant ones, biennially for standard. Record each review in the supplier register with date, participants, findings and agreed actions.

Request and review supplier audit reports. SOC 2 Type II reports, ISO 27001 surveillance audit summaries or BSI C5 attestations provide independent evidence of a supplier’s security posture. Review them for scope, exceptions and findings relevant to the services you consume.

Establish a change notification process. Contractually require the supplier to notify you before making changes that affect security: sub-contractor changes, data location moves, platform migrations, personnel changes in security roles. Define lead times and approval requirements.

Track supplier incidents. Maintain a log of security incidents involving supplier services. After each incident, conduct a joint review: root cause, impact on your organisation, remediation actions and preventive measures. Feed the findings into the next supplier review.

Benchmark service levels against SLAs. Compare actual service delivery (uptime, response times, incident resolution times) against the agreed SLAs. Persistent deviations signal either a performance issue or an inadequately defined SLA.

Typical audit evidence

Auditors typically expect the following evidence for A.5.22:

Supplier review calendar — planned schedule of reviews by risk tier
Review meeting minutes — documented outcomes of supplier security reviews
Supplier audit reports — SOC 2, ISO 27001 or equivalent reports reviewed by the organisation
Change notification records — evidence that supplier changes were assessed before implementation
Incident log — supplier-related security incidents with root-cause analysis and remediation
SLA performance reports — tracked service levels compared to contractual targets

KPI

% of suppliers with regular IS performance reviews conducted on schedule

This KPI measures whether the organisation is executing its supplier review programme as planned. Missed or overdue reviews indicate that supplier oversight is degrading. The target is 100% for critical suppliers; overall coverage should exceed 90%.

Supplementary KPIs:

Number of supplier changes assessed before implementation versus changes discovered after the fact
Average time to resolve supplier-related security incidents
Percentage of critical suppliers with current (less than 12 months old) independent audit reports on file

BSI IT-Grundschutz

A.5.22 maps to BSI’s ongoing oversight requirements for outsourcing:

OPS.2.3.A18 (Control and monitoring of outsourcing) — requires regular monitoring of the outsourcing partner’s service delivery and security performance, including SLA tracking and incident review.
OPS.3.2.A9 (Service level management) — defines requirements for measuring, reporting and improving service levels in outsourced operations.

A.5.22 ensures ongoing oversight of supplier relationships established under the preceding controls:

A.5.19 — Information security in supplier relationships: Defines the risk-based framework that determines monitoring intensity.
A.5.20 — Addressing information security within supplier agreements: Provides the contractual basis for audit rights and change notification obligations.
A.5.21 — Managing information security in the ICT supply chain: Supply chain changes are a key subject of the monitoring process.
A.5.24 — Incident management planning and preparation: Supplier incidents feed into the organisation’s broader incident management process.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.22 — Monitoring, review and change management of supplier services
ISO/IEC 27002:2022 Section 5.22 — Implementation guidance
BSI IT-Grundschutz, OPS.2.3 — Use of outsourcing

Frequently asked questions

How often should I review a supplier's security performance?

The frequency depends on the risk tier. Critical suppliers should be reviewed at least annually, with continuous monitoring of service levels. Standard suppliers may follow a biennial cycle. Any significant change in services, incidents or the supplier's environment triggers an ad-hoc review.

Can I rely on a supplier's ISO 27001 certificate instead of my own audit?

A valid ISO 27001 certificate provides reasonable assurance of the supplier's overall ISMS. It does not replace the need to verify that specific contractual requirements are met. Use the certificate as a baseline and supplement it with targeted checks on the controls that matter most to your organisation.

What counts as a significant change in supplier services?

Changes in sub-contractors, data centre locations, technology platforms, key personnel, pricing models, service scope, or the supplier's own security posture all qualify. The agreement should define which changes require prior notification and approval.