Browse Skills

ISO 27001 Supplier Information Security Policy

    ISO 27001 Information Security Supplier ISMS Compliance
    Get Started with This Skill

    Overview

    Draft and validate supplier security requirements and annexes for ISO 27001:2022 Control 5.21 (and A.5.19, A.5.20). Define the Minimum Security Baseline for different vendor types: High (Cloud, data processors, ICT supply chain) vs Low (Janitorial, facilities, minimal data access). Generate tier-based security annexes and validate that contracts include mandatory Right to Audit and Breach Notification clauses so documentation stays audit-ready and aligned with living-document expectations.

    Example Conversation

    You: We’re onboarding a new cloud provider for our CRM. I need a supplier security annex that matches their access level. They’ll have access to our internal network and customer data.

    Agent: I’ll treat this as a High tier vendor (Cloud, data access). Running tier_based_clause_generator for High to get the Minimum Security Baseline…

    Agent: For High tier the annex must include: Security Requirements in Supplier Agreements, Right to Audit, Breach and Incident Notification, Subprocessor Flow-Down, Secure Disposal and Data Return, ICT Supply Chain Security, Monitoring and Change Management, and Cloud Services Security where applicable. I’ll copy the template annex and fill each section. Do you want breach notification at 72 hours?

    You: Yes, 72 hours. Once the annex is drafted, run the contract check — we’ll attach it to our master service agreement.

    Agent: I’ve drafted the annex with 72h breach notification and on-site audit rights. Running right_to_audit_enforcer on the draft…

    Agent: RIGHT TO AUDIT & BREACH NOTIFICATION ENFORCER — Result: PASS. [OK] Right to Audit. [OK] Breach Notification. Both clauses are present. You can attach this annex to the MSA.

    What the Tools Validate

    The skill includes two extension tools:

    tier_based_clause_generator returns the Minimum Security Baseline clauses for a vendor tier so you can scope annexes correctly:

    • High — Cloud providers, data processors, ICT suppliers (access to internal network/systems or sensitive data). Clauses include: Right to Audit, Breach Notification, Security Requirements in Agreements, Subprocessor Flow-Down, Secure Disposal and Data Return, ICT Supply Chain Security (A.5.21), Monitoring and Change Management, and Cloud Services Security where applicable.
    • Low — Janitorial, facilities, physical-only or minimal data access. Clauses include: Right to Audit (premises/access scope), Breach Notification, and Security Requirements in Agreements; no subprocessor or ICT supply chain obligations.
    • Use when starting an annex or when the user specifies vendor type (e.g. Cloud vs Janitorial). Parameter: tier (High | Low).

    right_to_audit_enforcer validates a contract or security annex for the presence of two mandatory clauses:

    • Right to Audit — Looks for language granting the organization the right to conduct audits or inspections of the supplier’s systems, processes, or records (including on-site/physical access where relevant). Reports [MISSING] with guidance to add a clause if absent.
    • Breach Notification — Looks for obligation to notify the organization of security breaches or incidents within a defined timeframe (e.g. 72 hours). Reports [MISSING] with guidance to add a clause with a specific timeline.
    • Run after drafting or editing supplier agreements or annexes. Parameter: path (path to the document). Result: PASS when both clauses are present; FAIL with actionable guidance for each missing clause.

    Output Excerpt

    A condensed excerpt from a generated High-tier supplier security annex:

    # Supplier Information Security Annex

**Vendor / Contract:** Acme Cloud Ltd — CRM SaaS MSA  
**Vendor tier:** High  
**Effective date:** 2026-02-18

This annex sets forth the minimum information security requirements pursuant to [Organization]'s Supplier Information Security Policy and ISO/IEC 27001:2022 (Controls A.5.19, A.5.20, A.5.21).

## 2. Right to Audit and Inspection

[Organization] reserves the right, at any time during the term, to conduct announced or unannounced audits and inspections of the Supplier's systems, processes, and records relevant to the services and to [Organization]'s data. The Supplier shall provide access to facilities, configurations, and evidence as reasonably required. On-site audits shall be permitted with at least 14 days' notice unless otherwise agreed for cause.

## 3. Breach and Incident Notification

The Supplier shall notify [Organization] of any security incident or breach affecting [Organization]'s information or systems **within 72 hours** of discovery. Notification shall include nature of the incident, scope, and initial containment steps; a designated point of contact; and follow-up reporting as agreed.

    Run right_to_audit_enforcer on the full contract or annex before finalising to ensure both Right to Audit and Breach Notification are present and sufficient for your tier.

    Getting Started

    Add your contract or annex draft to the project workspace, then activate the ISO 27001 Supplier Information Security Policy skill. Classify the vendor as High or Low (Cloud vs Janitorial), run tier_based_clause_generator to get the baseline clauses, draft the annex from the template, and run right_to_audit_enforcer to validate before attaching to agreements.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started