Annex A 5.21 verified ISO/IEC 27001:2022
Managing Information Security in the ICT Supply Chain
Ensure ICT supply chain security by managing risks with processes and procedures.
record_voice_over
Plain language
This control is about making sure the technology products and services you get from your suppliers are secure. If someone in the chain is sloppy or lacks security, it could lead to problems like data breaches, service disruptions, or financial loss. Think of it like ensuring your house is built with quality materials — if one part is weak, the whole structure could be compromised.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
verified ISO/IEC 27001:2022 Annex A 5.21
priority_high
Why it matters
Weak ICT supply chain security can lead to data breaches or disruptions as insecure supply chain links provide attackers a backdoor into your organisation.
settings
Operational notes
Regularly assess supplier security practices, contracts and access; track vendor vulnerabilities and updates to manage ICT supply chain risks.
02 — Implement
build
Implementation tips
- The procurement team should define clear security requirements when purchasing any ICT products or services. They should ensure suppliers know exactly what security measures need to be in place, such as data protection and system integrity, and include these details in contracts.
- An IT manager should ensure that all suppliers are required to apply the organisation's security practices throughout their own supply chains. This includes asking for a list of their critical components and verifying how they ensure these components are secure.
- The IT security officer should set up a process to regularly review and monitor suppliers’ compliance with security requirements. This could involve routine checks like penetration tests or reviewing third-party security assessments.
- A project manager should be tasked with identifying all critical components of each ICT product or service. They should maintain an updated list and ensure any changes or updates from the supplier do not introduce risks.
- Executives should ensure there is a plan for what happens if a main supplier can no longer provide a product or service. This includes finding alternative suppliers and making sure knowledge and data can be transferred without issues.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest the security requirements documentation provided to ICT suppliers.
GoodDocuments are comprehensive and included in supplier contracts, ensuring clear expectations.
-
AskObtain the list of suppliers with their compliance evidence for security practices.
GoodAll suppliers have up-to-date compliance certificates or equivalent security validations.
-
AskReview the monitoring and validation reports for supplier compliance.
GoodReports show regular and documented security checks with suppliers meeting all set requirements.
-
AskRequest the list of critical components identified in ICT products or services.
GoodThe list is comprehensive and updated regularly with all critical components adequately protected.
-
AskExamine the supplier continuity and alternative plans.
GoodPlans are detailed with clear procedures for transitioning to alternative suppliers without disruption.
04 — Mappings
link
Cross-framework mappings
How Annex A 5.21 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (14) expand_less | ||
| ISM-0280 | ISM-0280 requires organisations to prefer procuring products that have completed Protection Profile (PP)-based evaluations (including app... | |
| ISM-0285 | ISM-0285 requires evaluated products to be delivered in accordance with delivery procedures specified in evaluation documentation | |
| ISM-0731 | ISM-0731 requires the CISO to oversee cyber supply chain risk management activities for their organisation | |
| ISM-0840 | ISM-0840 requires that when an organisation outsources destruction of media holding non-accountable material, it uses a specifically cert... | |
| ISM-0938 | ISM-0938 focuses on choosing vendors for user applications who demonstrate Secure by Design/Secure by Default practices | |
| ISM-1568 | ISM-1568 requires organisations to procure operating systems, applications, IT/OT equipment and services from suppliers that have demonst... | |
| ISM-1632 | ISM-1632 requires organisations to procure ICT/OT products and services from suppliers with a proven ability to maintain the security of ... | |
| ISM-1743 | ISM-1743 requires organisations to choose operating system vendors that demonstrate Secure by Design/Secure by Default practices and pref... | |
| ISM-1786 | ISM-1786 requires an organisation to create and maintain an approved supplier list to control supplier engagement | |
| ISM-1787 | ISM-1787 mandates organisations to only source IT/OT products and services from approved suppliers, reducing exposure to untrusted or hig... | |
| ISM-1791 | ISM-1791 requires integrity assessment of delivered IT/OT products and services before acceptance | |
| ISM-1800 | ISM-1800 requires flashing network devices with trusted firmware before first use to reduce the likelihood of supply chain or pre-comprom... | |
| ISM-1882 | ISM-1882 requires procurement from suppliers that demonstrate transparency for the products and services being acquired | |
| ISM-2082 | ISM-2082 requires developers to use a CBOM for imported third-party software components to confirm those components support standardised ... | |
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-0039 | ISM-0039 requires a maintained cyber security strategy that drives how the organisation manages cyber risks to its information and services | |
| ISM-0286 | Annex A 5.21 requires organisations to establish processes and procedures to manage information security risks in the ICT supply chain | |
| ISM-0305 | ISM-0305 requires organisations to ensure maintenance and repairs occur on-site and are performed by appropriately cleared technicians, r... | |
| ISM-1073 | ISM-1073 requires contracts for system access by service providers | |
| ISM-1570 | ISM-1570 requires regular independent IRAP assessment of cloud service providers against the ISM, ensuring an objective security evaluati... | |
| ISM-1738 | ISM-1738 requires regular, ongoing verification of service providers against contractual security requirements | |
| ISM-1972 | Annex A 5.21 requires organisations to implement processes and procedures to manage ICT supply chain information security risks | |
| ISM-2087 | ISM-2087 requires the organisation to verify the source and integrity of training data used for AI models to prevent data poisoning | |
| handshake Supports (11) expand_less | ||
| ISM-0310 | ISM-0310 requires organisations to ensure off-site IT repairs are conducted only at facilities approved to handle the asset’s classification | |
| ISM-0629 | ISM-0629 requires trusted administration arrangements for shared components in gateways between different security domains, including the... | |
| ISM-1195 | ISM-1195 requires organisations to enforce mobile device policy using an MDM solution that has passed a Common Criteria evaluation agains... | |
| ISM-1203 | ISM-1203 requires conducting a threat and risk assessment for each system with authorising officer involvement | |
| ISM-1535 | ISM-1535 requires processes and procedures to prevent AUSTEO, AGAO, and REL information from being exported to unsuitable foreign systems | |
| ISM-1736 | ISM-1736 requires organisations to maintain and regularly verify a register of managed services | |
| ISM-1797 | ISM-1797 requires software updates to be digitally signed or provided with cryptographic checksums to reduce the risk of tampering and co... | |
| ISM-2027 | ISM-2027 requires verification of software artefacts using digital signatures or secure hashes before they enter the organisation’s autho... | |
| ISM-2073 | ISM-2073 requires an organisation to develop and maintain a PQC transition plan, including managing dependencies on third-party products ... | |
| ISM-2083 | ISM-2083 requires software producers to provide a CBOM to software users to increase transparency of cryptographic components | |
| ISM-2088 | ISM-2088 requires data validation and verification to maintain the integrity of AI training data | |
| extension Depends on (1) expand_less | ||
| ISM-1631 | ISM-1631 requires organisations to identify all suppliers associated with systems (e.g | |
| link Related (13) expand_less | ||
| ISM-0072 | Annex A 5.21 requires processes and procedures to manage information security risks arising from ICT suppliers and service dependencies | |
| ISM-1395 | Annex A 5.21 requires defined processes to manage information security risks arising from ICT supply chain products and services | |
| ISM-1452 | ISM-1452 requires a supply chain risk assessment for suppliers of operating systems, applications, IT/OT equipment and services to determ... | |
| ISM-1567 | Annex A 5.21 requires defined processes and procedures to manage information security risks arising from ICT supply chain products and se... | |
| ISM-1737 | Annex A 5.21 requires defined processes and procedures to manage information security risks associated with ICT supply chain products and... | |
| ISM-1788 | Annex A 5.21 requires organisations to define and implement processes to manage information security risks across the ICT products and se... | |
| ISM-1789 | ISM-1789 requires organisations to verify the authenticity of software, hardware, and services before their acceptance | |
| ISM-1790 | Annex A 5.21 requires organisations to define and implement procedures to manage ICT supply chain information security risks | |
| ISM-1792 | Annex A 5.21 requires processes and procedures to manage information security risks associated with ICT supply chain products and services | |
| ISM-1804 | Annex A 5.21 addresses end-to-end management of ICT supply chain security risks via defined processes and procedures | |
| ISM-1826 | Annex A 5.21 requires organisations to implement processes to manage information security risks across the ICT supply chain for products ... | |
| ISM-2023 | Annex A 5.21 requires organisations to implement processes to manage ICT supply chain security risks for products and services | |
| ISM-2086 | Annex A 5.21 requires organisations to manage information security risks associated with ICT products and services throughout the supply ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.