A.5.20 Addressing Information Security within Supplier Agreements

What is this control?

ISO 27001 control A.5.20 Addressing Information Security in Supplier Agreements ensures all Tier 1 supplier agreements include binding contractual clauses addressing information security risks. Agreements must contain mandatory security clauses covering confidentiality, data protection, audit rights, breach notification, secure termination, and acceptance of technical controls.

How to implement in Microsoft 365

Implement A.5.20 by writing security clauses explicitly into master services agreements or addendums for negotiable Tier 1 suppliers. For infrastructure-critical suppliers like Microsoft and Fortinet, review standard online terms against the ISMS checklist to verify all requirements are met. Accept standard commercial terms without security review for Tier 2 suppliers.

Required clauses must address Confidentiality and Data Protection via NDA and DPA meeting POPIA and GDPR, Right to Third-Party Attestation for ISO 27001 and SOC 2, Breach Notification with timely reporting obligation, Secure Termination with data return or destruction and certificate, and Technical Control Adherence allowing B2B, MFA, and Access Reviews enforcement.

What an auditor looks for

Auditors will verify the central SharePoint repository containing all executed contracts, NDAs, and DPAs for Tier 1 suppliers. They will review completed due diligence checklists with CISO sign-off documenting clause verification. Auditors will verify all required clauses are present including NDA, DPA, attestation rights, breach notification, termination, and technical controls.

They will check the Risk Register documenting any exceptions with formal CISO acceptance. Auditors will verify that non-negotiable supplier agreements were reviewed against the ISMS checklist.

Related controls

• A.5.19