Third-Party and Supply Chain Risk: What ISO 27001 Clause 8.4 Actually Requires
Third-party and supply chain risk is consistently one of the most underimplemented areas in ISO 27001 programmes. Organisations complete a supplier questionnaire, file it in their evidence library, and consider the requirement met. During an audit, that approach produces findings. The standard requires more than a point-in-time questionnaire, and the gap between what most organisations do and what the standard actually requires is significant enough to produce nonconformities in otherwise well-prepared audits.
Clause 8.4 of ISO 27001:2022 addresses operational planning and control in supplier relationships, and the Annex A controls in the 5.19 to 5.23 range detail specific requirements for information security in supplier relationships, supplier agreements, supply chain management, service delivery, and change management with suppliers. Together, these requirements form a programme expectation, not a checklist exercise.
Identifying Suppliers and Classifying Them by Risk
The first requirement is that the organisation has a defined inventory of suppliers that access, process, store, or could affect the security of the organisation's information. Most organisations have a partial list. The gaps are typically in informal or shadow IT relationships, where a team has contracted a service without going through a procurement process, and in lower-tier suppliers, where the organisation knows its primary vendors but has not examined what third parties those vendors rely on for service delivery.
Once suppliers are identified, they must be classified by the nature and level of risk they represent. A supplier that processes sensitive personal data or has direct access to production systems represents a different risk level than a supplier that provides office supplies or facilities management. The classification drives the depth of assessment required. A risk-based approach to supplier assessment does not mean assessing all suppliers with equal depth. It means assessing suppliers proportionally to the risk they represent and being able to document the rationale for how each supplier was classified.
Contractual Requirements and What They Must Cover
The standard requires that information security requirements are addressed in supplier agreements. This is not satisfied by a general indemnity clause or a reference to the supplier's privacy policy. Supplier agreements for suppliers that access or process your information must include specific provisions covering the supplier's security obligations, the right to audit or assess the supplier, incident notification requirements, and provisions governing what happens to your data when the relationship ends.
Many organisations discover during ISO 27001 preparation that their existing supplier contracts do not include these provisions, particularly for suppliers engaged before the information security programme was established. Remediation involves reviewing the supplier contract register against the requirement list and renegotiating or supplementing agreements where gaps exist. This is often slower than organisations expect because it requires legal review and in some cases supplier cooperation. Building the contractual requirements into procurement templates prevents the same problem recurring with new suppliers.
Monitoring, Review, and Managing Changes
The standard requires that the organisation monitors supplier performance against its security obligations on an ongoing basis, not just at contract commencement. Monitoring can take several forms depending on the supplier risk classification. For high-risk suppliers, monitoring may involve reviewing the supplier's annual security certification or audit report, conducting periodic security assessments, or reviewing incident reports. For lower-risk suppliers, monitoring may be lighter-touch and more periodic.
Change management in supplier relationships is a specific requirement that is frequently overlooked. If a supplier changes its subprocessors, changes the location where data is processed, or experiences a significant security incident, the organisation must have a process for evaluating the implications and responding appropriately. Supplier change notification clauses in contracts support this, but the process for acting on notifications must also exist. Receiving a change notification and filing it without a documented review and decision does not meet the requirement.
Designing a Supplier Risk Programme That Survives Audits
A supplier risk programme that satisfies ISO 27001 requires four things: a complete supplier register with risk classification, a tiered assessment process matched to risk level, contractual provisions that meet the standard's requirements, and an ongoing monitoring and review cycle. The programme must be documented well enough that an auditor can follow the process from supplier identification through to ongoing monitoring without relying on verbal explanation.
In practice, the most common audit findings in this area are an incomplete supplier register, assessments that were completed at contract start but not reviewed since, and supplier agreements that reference security obligations in general terms without the specific provisions the standard requires. Remediating all three simultaneously is achievable with structured effort. The sequencing that works best is: inventory first, then classification, then contract review, then monitoring design. Each step informs the next and the output of each step becomes evidence for the audit. To discuss your supplier risk programme and how it will hold up to ISO 27001 audit scrutiny, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







