SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

ISO 27001 Third-Party Risk Management Requirements Blog Feature
Jenelle Tamura

By: Jenelle Tamura

Print/Save as PDF

ISO 27001 Third-Party Risk Management Requirements

ISO Certifications | TPRM

Published: Apr 26, 2012

Last Updated: Feb 20, 2025

If your organization is seeking ISO 27001 certification, and you outsource physical hosting to a third-party vendor, you may be wondering if and how to include them in the scope of your Information Security Management System (ISMS). 

This confusion around how to treat a critical third-party service provider commonly occurs when an organization is in the early stages of scoping their ISMS. Some organizations attempt to scope the third-party provider within their ISMS, which leads to difficulties when trying to treat the risks that might be applicable to a third party. Others take a more tolerant approach and “transfer” all applicable outsourcing risk to the third-party service provider, without treating the risk at all. The correct approach is actually somewhere in the middle, and in 2022, new ISO 27001 Annex A controls were added to provide additional clarity. 

Here and throughout, we will refer to vendors, suppliers, and service providers interchangeably.  

The Importance of Third-Party Risk Management  

It’s common for organizations to outsource external suppliers, service providers, and vendors to handle critical business functions including IT infrastructure, cloud services, and data processing. However, these third-party partnerships come with increased risks that must be regularly and strategically monitored, assessed, and managed. 

Effective third-party risk management is essential for maintaining a secure and resilient ISMS, as vendors can introduce significant security and compliance risks. ISO 27001:2022 requires organizations to include key suppliers in the scope of the ISMS (Clause 4) and the risk assessment process (Clauses 6 & 8) to ensure their security controls align with business and regulatory requirements (Annex A). Further, Annex A controls have been designed to provide a structured approach to managing supplier risks, enforcing security expectations, and ensuring continuous monitoring. 

An organization should include third-party suppliers in their ISMS risk assessment process as they can introduce security vulnerabilities, compliance risks, and operational dependencies that impact the organization’s overall security posture. Clause 6.1 requires organizations to identify and assess risks associated with external parties, including suppliers, to ensure appropriate controls are implemented. By including third-party suppliers in the risk assessment process, organizations can identify, evaluate, and mitigate potential security threats arising from external dependencies. 

ISO 27001 Third-Party Risk Management Requirements Explained 

When defining the scope of the ISMS (as part of Clause 4.3), it is essential to account for high-risk key vendors (e.g., AWS, GCP, etc.), as their services directly impact the organization’s security posture. Their inclusion in the scope of the ISMS ensures that third-party supplier relationships are evaluated under Clause 6.1, managed effectively under Clause 8, and aligned with Annex A controls (e.g., A.5.19, A.5.20, etc.). 

The following are some of the specific controls in which ISO 27001:2022 emphasizes the importance of managing third-party risks:  

Annex A Control A.5.19: Information Security Supplier Relationships  

Ensures that organizations define and implement security requirements for suppliers based on the risks that they introduce. This includes assessing suppliers’ security controls, incorporating security clauses in contracts, and continuously monitoring compliance to protect the organization’s information and systems. 

Annex A Control A.5.20: Information security within supplier agreements  

Ensures that information security requirements are explicitly defined and enforced within supplier agreements. This includes contractual obligations for data protection, security controls, incident reporting, and compliance monitoring to safeguard organizational information throughout the supplier relationship. 

Annex A Control A.5.21: Third-party information security policies 

Ensures that organizations manage security risks across the entire ICT supply chain. This includes assessing and monitoring suppliers and their subcontractors to ensure they meet security requirements, maintain data integrity, and mitigate risks related to third-party dependencies. 

Annex A Control A.5.23: Information security for use of cloud services 

Ensures that organizations assess and implement security measures for cloud services based on risk, business needs, and compliance requirements. This includes defining security responsibilities between the organization and the cloud provider, implementing controls for data protection, and continuously monitoring cloud service security to mitigate risks. 

Annex A Control A.8.30: Outsourced development 

Ensures that organizations manage security risks associated with externally developed software or systems. This includes defining security requirements in contracts, assessing the security practices of third-party developers, and ensuring secure coding, testing, and delivery to protect against vulnerabilities and unauthorized access. 

These updated controls require your organization to establish security requirements for third-party services in contracts as well as continuously monitor third-party compliance. Your organization must also ensure risk treatment is documented and aligned with your ISMS risk management process.  

Organizations must have a process in place to evaluate, monitor, and document third-party risks to ensure they meet their security expectations. Evidence of that monitoring should be available as a record of the ISMS. 

Elements of Managing Third-Party Service Providers in ISO 27001 

To ensure you meet these requirements under ISO 27001, it’s important to adjust your third-party risk management strategy. Elements of effectively managing risks with third-party service providers include: 

Due diligence in vendor selection 

Organizations must conduct a thorough evaluation of potential vendors before engagement, assessing their security posture, compliance with industry standards (e.g., ISO 27001 certification, SOC 2, etc.), history of data protection practices, and more. This helps identify third-party vendors that align with the organization’s security requirements. 

Thorough vendor risk assessment processes 

A risk assessment should be performed to evaluate the potential security threats a vendor may introduce, not only considering likelihood and impact, but also factors such as data access, regulatory compliance, and external dependencies. This risk assessment process helps determine the level of risk mitigation required and decisions on necessary controls (Annex A). 

Contractual agreements 

Security expectations and responsibilities must be defined in legally binding contracts, including provisions for data protection, incident reporting, compliance requirements, and audit rights. These agreements help ensure vendors comply with the organization's security policies and regulatory obligations. 

Regular ongoing audits and documentation 

Periodic security audits are essential to verify that vendors continue to meet contractual security requirements and agreements. Ongoing monitoring enables organizations to enforce compliance and address risks with vendor relationships. 

Take the Next Steps Toward an ISO 27001 Certification 

If you’re interested in learning more about Schellman’s Certification Body accreditations and our process in how we can streamline your journey to ISO 27001 compliance, contact us today 

In the meantime, learn more about ISO 27001 certification and third-party risk management here:  

About Jenelle Tamura

Jenelle Tamura is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in 2018, Jenelle worked as an IT Assurance Senior, specializing in ISO 27001, SOC1/SOC2, and SOX. As a Senior Associate with Schellman, Jenelle Tamura is focused primarily on ISO 27001 and SOC1/SOC2 for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.