What the framework requires
Control A.5.19 — Information security in supplier relationships
The organisation must define and document its approach to managing the information-security risks associated with the use of supplier products and services. Evidence is typically a supplier-management policy and a supplier inventory.
Controls A.5.20 to A.5.22 — Agreements, supply chain, monitoring
A.5.20 covers information-security requirements in supplier agreements. A.5.21 covers information and communications technology supply-chain security. A.5.22 covers monitoring, review, and change management of supplier services. Together these controls describe a supplier lifecycle, not a one-time clause review.
What auditors expect
A current supplier inventory aligned to the risk register; evidence of pre-engagement due diligence; contractual clauses that specify access, data, incident, and termination requirements; and ongoing monitoring records — performance reviews, incident records, and change logs.
How our services map to compliance
- Pre-engagement due diligence. Background investigations, supplier vetting, and pre-employment screening produce the evidence base that A.5.19 and A.5.20 expect at the start of a supplier relationship.
- Documented operations and reporting. Where Mission Support is the supplier, our standard operating procedures, incident logs, and after-action reports are produced in a form that fits an operator's ISO 27001 evidence base directly.
- Mystery-guest and audit-style reviews. Mystery-guest audits and forensic reviews provide the monitoring evidence that A.5.22 requires and that an internal-audit programme typically lacks for hospitality and on-site services.