A.5.22 Monitoring Review and Change Management of Supplier Services
What is this control?
ISO 27001 control A.5.22 Monitoring, Review and Change Management of Supplier Services maintains agreed information security and service delivery levels through continuous monitoring of supplier activities, periodic formal reviews of supplier performance and security posture, and managed change processes for supplier-initiated changes or contract terminations.
How to implement in Microsoft 365
Implement A.5.22 through continuous monitoring by ingesting B2B guest sign-in and audit logs into Microsoft Sentinel with analytics rules detecting suspicious activity like impossible travel and unapproved locations. Subscribe to service health notifications for infrastructure-critical suppliers. Configure quarterly Microsoft Entra Access Reviews for B2B guest accounts with business owner Approve or Deny decisions.
Conduct annual CISO and business owner performance and compliance reviews including verification of current security attestations. For change management, assess supplier-initiated material changes with CISO impact assessment logged to Risk Register. Trigger Leaver workflow to disable B2B accounts on service termination.
What an auditor looks for
Auditors will verify access review results showing completed B2B guest reviews with Approve or Deny decisions logged. They will check Microsoft Sentinel monitoring configuration showing B2B guest logs are ingested with analytics rules active. Auditors will review updated supplier due diligence checklists showing annual Last Reviewed date within 12 months with current attestations attached.
They will verify Risk Register entries documenting material supplier changes and impact assessments. Auditors will check evidence of B2B account disablement when supplier contracts terminate.