Back to all documents
    Annex A & Operational Policies
    policy
    third-party
    vendor-management

    Supplier Relationship Security Policy

    Supplier and third-party security (Annex A 5.19-5.22).

    Failed to load preview.

    About this Supplier Relationship Security Policy

    The Supplier Relationship Security Policy is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It directly supports Annex A 5.19-5.22 of the ISO 27001 Annex A control set.

    Supplier and third-party security (Annex A 5.19-5.22). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to Annex A 5.19-5.22
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Annex A 5.19 - Information security in supplier relationships
    • Annex A 5.20 - Addressing information security within supplier agreements
    • Annex A 5.21 - Managing information security in the ICT supply chain
    • Annex A 5.22 - Monitoring, review and change management of supplier services

    How to customise

    • - Define supplier tiers based on data access and criticality.
    • - List the contract clauses required (DPA, breach notice, audit rights).
    • - Set onboarding and review cadence per tier.
    • - Reference your supplier register and assessment tool.

    Evidence auditors may expect

    • - Supplier register with risk tier and assessment date
    • - Signed contracts with security clauses or DPAs
    • - Completed due-diligence questionnaires or certifications on file
    • - Records of periodic supplier reviews

    Auditor may ask

    Q.How are suppliers risk-rated before onboarding?
    Q.What security clauses are included in supplier contracts?
    Q.How are subprocessors and the ICT supply chain considered?
    Q.How are suppliers reassessed when scope or service changes?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Supplier Relationship Security Policy

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).