# ISO 27001 Supplier Information Security Policy

> Draft and validate supplier security requirements and annexes for ISO 27001:2022 Control 5.21. Tier-based Minimum Security Baseline (Cloud vs Janitorial), Right to Audit and Breach Notification validation.



Tags: ISO 27001, ISMS, Compliance, Supplier Security, A.5.19, A.5.21


## Example Prompts

- Draft a supplier security annex for our cloud provider (High tier)
- Generate the minimum security baseline for a janitorial vendor (Low tier)
- Check whether our vendor contract has Right to Audit and Breach Notification clauses
- Create a security annex for a new data processor aligned to ISO 27001 Control 5.21
- Review our existing supplier annexes for ICT supply chain and subprocessor flow-down clauses

URL: https://rakenne.app/skills/iso27001-supplier-security-policy/index.md

Try this skill: https://rakenne.app/a/?skill=iso27001-supplier-security-policy



## Overview

Draft and validate supplier security requirements and annexes for ISO 27001:2022 Control 5.21 (and A.5.19, A.5.20). Define the Minimum Security Baseline for different vendor types: **High** (Cloud, data processors, ICT supply chain) vs **Low** (Janitorial, facilities, minimal data access). Generate tier-based security annexes and validate that contracts include mandatory Right to Audit and Breach Notification clauses so documentation stays audit-ready and aligned with living-document expectations.

For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/).

## Example Conversation

> **You:** We're onboarding a new cloud provider for our CRM. I need a supplier security annex that matches their access level. They'll have access to our internal network and customer data.

> **Agent:** I'll treat this as a **High** tier vendor (Cloud, data access). Running `tier_based_clause_generator` for High to get the Minimum Security Baseline...

> **Agent:** For High tier the annex must include: Security Requirements in Supplier Agreements, Right to Audit, Breach and Incident Notification, Subprocessor Flow-Down, Secure Disposal and Data Return, ICT Supply Chain Security, Monitoring and Change Management, and Cloud Services Security where applicable. I'll copy the template annex and fill each section. Do you want breach notification at 72 hours?

> **You:** Yes, 72 hours. Once the annex is drafted, run the contract check — we'll attach it to our master service agreement.

> **Agent:** I've drafted the annex with 72h breach notification and on-site audit rights. Running `right_to_audit_enforcer` on the draft...

> **Agent:** RIGHT TO AUDIT & BREACH NOTIFICATION ENFORCER — Result: **PASS**. [OK] Right to Audit. [OK] Breach Notification. Both clauses are present. You can attach this annex to the MSA.

## What the Tools Validate

The skill includes two extension tools:

**`tier_based_clause_generator`** returns the Minimum Security Baseline clauses for a vendor tier so you can scope annexes correctly:

- **High** — Cloud providers, data processors, ICT suppliers (access to internal network/systems or sensitive data). Clauses include: Right to Audit, Breach Notification, Security Requirements in Agreements, Subprocessor Flow-Down, Secure Disposal and Data Return, ICT Supply Chain Security (A.5.21), Monitoring and Change Management, and Cloud Services Security where applicable.
- **Low** — Janitorial, facilities, physical-only or minimal data access. Clauses include: Right to Audit (premises/access scope), Breach Notification, and Security Requirements in Agreements; no subprocessor or ICT supply chain obligations.
- Use when starting an annex or when the user specifies vendor type (e.g. Cloud vs Janitorial). Parameter: `tier` (High | Low).

**`right_to_audit_enforcer`** validates a contract or security annex for the presence of two mandatory clauses:

- **Right to Audit** — Looks for language granting the organization the right to conduct audits or inspections of the supplier's systems, processes, or records (including on-site/physical access where relevant). Reports [MISSING] with guidance to add a clause if absent.
- **Breach Notification** — Looks for obligation to notify the organization of security breaches or incidents within a defined timeframe (e.g. 72 hours). Reports [MISSING] with guidance to add a clause with a specific timeline.
- Run after drafting or editing supplier agreements or annexes. Parameter: `path` (path to the document). Result: **PASS** when both clauses are present; **FAIL** with actionable guidance for each missing clause.

## Output Excerpt

A condensed excerpt from a generated **High**-tier supplier security annex:

```markdown
# Supplier Information Security Annex

**Vendor / Contract:** Acme Cloud Ltd — CRM SaaS MSA  
**Vendor tier:** High  
**Effective date:** 2026-02-18

This annex sets forth the minimum information security requirements pursuant to [Organization]'s Supplier Information Security Policy and ISO/IEC 27001:2022 (Controls A.5.19, A.5.20, A.5.21).

## 2. Right to Audit and Inspection

[Organization] reserves the right, at any time during the term, to conduct announced or unannounced audits and inspections of the Supplier's systems, processes, and records relevant to the services and to [Organization]'s data. The Supplier shall provide access to facilities, configurations, and evidence as reasonably required. On-site audits shall be permitted with at least 14 days' notice unless otherwise agreed for cause.

## 3. Breach and Incident Notification

The Supplier shall notify [Organization] of any security incident or breach affecting [Organization]'s information or systems **within 72 hours** of discovery. Notification shall include nature of the incident, scope, and initial containment steps; a designated point of contact; and follow-up reporting as agreed.
```

Run `right_to_audit_enforcer` on the full contract or annex before finalising to ensure both Right to Audit and Breach Notification are present and sufficient for your tier.

## Getting Started

Add your contract or annex draft to the project workspace, then activate the *ISO 27001 Supplier Information Security Policy* skill. Classify the vendor as High or Low (Cloud vs Janitorial), run `tier_based_clause_generator` to get the baseline clauses, draft the annex from the template, and run `right_to_audit_enforcer` to validate before attaching to agreements.


---

Back to [Skill Library](https://rakenne.app/skills/index.md)