A.5.21 Managing Information Security in the ICT Supply Chain
What is this control?
ISO 27001 control A.5.21 Managing Information Security in the ICT Supply Chain manages information security risks in the ICT supply chain through two approaches: verifying supplier security posture via attestations for third-party ICT services, and scanning the organisational software supply chain for vulnerabilities before production deployment using Microsoft Defender for DevOps.
How to implement in Microsoft 365
Implement A.5.21 by verifying supplier attestations including ISO 27001 and SOC 2 during due diligence as a proxy for their supply chain controls. For the organisational supply chain using DevSecOps, integrate Microsoft Defender for DevOps into Azure DevOps repositories. Configure main branch policy requiring successful Defender scan before merge.
Scans perform component vulnerability scanning for CVE detection and secret scanning. High-risk vulnerabilities block PR merge, preventing risk entry to production. For physical hardware, restrict procurement to authorised resellers ensuring genuine components.
What an auditor looks for
Auditors will verify completed supplier due diligence checklists showing attestation verification for ISO 27001 and SOC 2 for all Tier 1 ICT suppliers. They will check Azure DevOps branch policy configuration requiring Defender for DevOps scan success. Auditors will verify active Defender for DevOps vulnerability scanning on repositories producing component and secret scanning results.
They will review evidence of pull requests blocked due to high-risk vulnerabilities detected.