Overview
Build a supplier management process that satisfies ISO/IEC 20000-1:2011 Clause 7.2 and the governance requirements of Clause 4.2. This skill walks you through identifying every supplier involved in delivering your IT services, classifying each by criticality, defining contract requirements, setting up performance monitoring, and establishing governance controls for outsourced processes.
Most IT service providers depend heavily on third-party suppliers – cloud infrastructure, software vendors, telecommunications, managed security. An auditor will expect you to demonstrate that you know who your suppliers are, how critical each one is to your services, and that you have contractual and operational controls in place to manage them. This skill structures that work so nothing falls through the cracks.
For a step-by-step walkthrough, see the ISO 20000 SMS workspace tutorial .
What It Covers
- Supplier identification – mapping suppliers to the services they support
- Criticality classification – critical, important, or standard based on service impact
- Contract requirements – SLA alignment, audit rights, exit clauses, data protection
- Performance monitoring – KPIs per supplier, review frequency, escalation for underperformance
- Governance of other parties (Clause 4.2) – oversight mechanisms for outsourced processes
Example Conversation
You: We need to build a supplier register for our ISO 20000 certification. We’re an MSP and we rely on several vendors for our managed infrastructure and cloud hosting services.
Agent: I’ll help you build the supplier register for Clause 7.2. Let me start by identifying your suppliers. For each one, I need:
- Supplier name
- What service or component they provide
- Which of your services depend on them
List all the external parties you rely on for service delivery.
You: AWS for cloud infrastructure, Microsoft for M365 and Azure AD, Datadog for monitoring, CrowdStrike for endpoint security, BT for WAN connectivity, and Kyndryl for out-of-hours NOC support.
Agent: I’ve recorded 6 suppliers. Now let’s classify each by criticality. The question is: if this supplier disappeared tomorrow, what happens to your services?
- Critical – Service cannot operate
- Important – Service is degraded
- Standard – Minimal direct impact
Based on what you’ve described, I’d suggest:
Supplier Criticality Rationale AWS Critical Core hosting platform – total service outage without it Microsoft (M365/Azure AD) Critical Identity and productivity – cannot authenticate users BT Critical WAN connectivity – remote sites lose access CrowdStrike Important Security monitoring degraded, but services still run Datadog Important Lose observability, but services still operational Kyndryl Important Out-of-hours coverage lost, in-hours support continues Do you agree with these classifications, or would you adjust any?
You: That looks right. What about contracts?
Agent: For each supplier, I need to capture contract details. Let me focus on the critical suppliers first. For AWS:
- What is the contract status – active, pending renewal, or expired?
- When does the contract expire?
- Do you have audit rights or the ability to request compliance reports (e.g., SOC 2)?
- Is there an exit clause with defined transition arrangements?
You: AWS is on a 3-year Enterprise Agreement expiring December 2027. No direct audit rights but they provide SOC 2 and ISO 27001 reports. Exit clause with 90-day transition period.
Agent: Good. Now let me define performance KPIs for AWS. I’d recommend tracking: availability (target 99.95%), support response time (target per severity), and monthly cost variance (within 10% of budget). Review frequency: monthly. Does that work?
You: Yes, add incident resolution time too. Review monthly with a quarterly deep-dive.
Agent: I’ll run the
supplier_register_validatornow…Result: 6 suppliers registered. All have name, service, and criticality. 3 critical suppliers have full contract details. 3 important suppliers still need contract expiry dates and KPIs. I’ll flag those for you to complete.
Sample Output Excerpt
The skill produces a structured JSON supplier register plus a markdown process document. Here is a representative excerpt from the JSON.
{
"suppliers": [
{
"name": "AWS",
"service_provided": "Cloud infrastructure (EC2, RDS, S3, VPC)",
"criticality": "critical",
"contract_status": "active",
"contract_expiry": "2027-12-31",
"performance_kpis": [
{ "metric": "Availability", "target": "99.95%", "review_frequency": "monthly" },
{ "metric": "Support response time", "target": "Per severity matrix", "review_frequency": "monthly" },
{ "metric": "Incident resolution time", "target": "Per SLA", "review_frequency": "quarterly" }
],
"audit_rights": false,
"compliance_reports": ["SOC 2 Type II", "ISO 27001"],
"exit_clause": true,
"exit_transition_period": "90 days"
},
{
"name": "CrowdStrike",
"service_provided": "Endpoint detection and response",
"criticality": "important",
"contract_status": "active",
"contract_expiry": "2026-06-30",
"performance_kpis": [
{ "metric": "Detection coverage", "target": "99%", "review_frequency": "quarterly" }
],
"audit_rights": false,
"compliance_reports": ["SOC 2 Type II"],
"exit_clause": true
}
],
"governance_other_parties": {
"processes": ["Out-of-hours NOC monitoring (Kyndryl)"],
"oversight_mechanism": "Monthly performance reports, quarterly governance review",
"reporting_frequency": "monthly"
}
}
Extension Tools
supplier_register_validator
Validates supplier-register.json for ISO 20000-1 Clause 7.2 completeness. Run after drafting the supplier register.
| Check | What It Does |
|---|---|
| Suppliers present | Confirms at least one supplier is documented |
| Required fields | Verifies each supplier has name, service_provided, criticality, and contract_status |
| Performance KPIs | Checks that each supplier has at least one KPI defined |
| Criticality classification | Validates criticality values are within the expected set |
Getting Started
Activate the ISO 20000 Supplier Management skill and prepare a list of all external parties your services depend on – cloud providers, software vendors, telecoms, outsourced support, and consultancies. The agent will guide you through classification, contract review, and KPI definition for each.
The completed supplier register integrates with other ISO 20000 processes – change management references supplier dependencies, and business relationship management uses supplier performance data to assess end-to-end service delivery.