How to Automate ISO 27001 Supplier Security Evidence (A.5.19-A.5.23)
ISO 27001 supplier security evidence requires documenting vendor risk assessments, agreements, and ongoing monitoring for Annex A controls A.5.19–A.5.23. This guide explains how to automate the collection of screenshots and workflow records to ensure your supply chain security is audit-ready.
ISO 27001 certification audits increasingly focus on the supply chain, requiring rigorous evidence for Annex A controls related to supplier relationships (A.5.19–A.5.23). While many organizations use GRC platforms to store vendor contracts, auditors now demand proof of active monitoring, risk assessment workflows, and cloud service configuration reviews. Automating ISO 27001 evidence collection for these controls ensures you can provide screenshots of vendor portals, audit logs of contract reviews, and documentation of cloud security settings without hours of manual administrative work.
What Supplier Security Evidence Do ISO 27001 Auditors Require?
Answer: For ISO 27001:2022 controls A.5.19 through A.5.23, auditors require evidence that proves you are actively managing supply chain risk, not just signing contracts. This includes risk assessment records (showing criteria and results), supplier agreements containing specific security clauses (A.5.20), monitoring records (screenshots of service performance or security dashboards), and evidence of review for cloud services (A.5.23).
Merely having a "Vendor Management Policy" is insufficient for Stage 2 audits. You must demonstrate the implementation of that policy—for example, by providing a timestamped screenshot showing that you reviewed AWS Security Hub findings (A.5.23) or that you revoked access for an offboarded vendor (A.5.22).
Breakdown of Supplier Security Controls (A.5.19–A.5.23)
The ISO 27001:2022 standard groups supplier controls under Theme 5: Organizational Controls. Below is a breakdown of the specific evidence required for each control and how automation can capture it.
A.5.19 Information Security in Supplier Relationships
Objective: To define and manage information security risks associated with suppliers.
| Requirement | Manual Evidence | Automated Evidence |
|---|---|---|
| Supplier Inventory | Excel sheet of vendors. | Real-time export of connected apps from SSO/IdP (Okta/Google). |
| Risk Assessment | Static PDF of a risk questionnaire. | Screenata recording of the risk scoring workflow in your GRC or VRM tool. |
| Policy Acceptance | Email confirmation from vendor. | Screenshot of the vendor portal showing "Agreed" status on security policies. |
A.5.20 Addressing Information Security Within Supplier Agreements
Objective: To ensure security requirements are legally agreed upon.
| Requirement | Manual Evidence | Automated Evidence |
|---|---|---|
| Security Clauses | Copy of the MSA/DPA. | Searchable PDF repository where security clauses are highlighted/indexed. |
| SLA Definitions | Contract appendix. | Screenshot of the specific SLA section in the digital contract management system (e.g., Ironclad, DocuSign). |
A.5.21 Managing Information Security in the ICT Supply Chain
Objective: To manage risks associated with information and communication technology (ICT) products and services.
| Requirement | Manual Evidence | Automated Evidence |
|---|---|---|
| Software Bill of Materials (SBOM) | Manual request to vendor. | Automated fetch of SBOM or dependency graph from GitHub/GitLab. |
| Component Validation | Manual check of hash/signature. | Screenshot of CI/CD pipeline showing successful signature verification of third-party deps. |
A.5.22 Monitoring, Review, and Change Management of Supplier Services
Objective: To maintain a consistent level of information security and service delivery.
| Requirement | Manual Evidence | Automated Evidence |
|---|---|---|
| Performance Review | Meeting minutes in Word. | Screenata recording of the quarterly vendor review dashboard (e.g., uptime, incident reports). |
| Incident Response | Email thread regarding a vendor breach. | Screenshot of the ticketing system (Jira) linking vendor notifications to internal incident response tickets. |
| Access Revocation | Ticket to remove vendor access. | Screenshot of the "User Deleted" log for external contractor accounts. |
A.5.23 Information Security for Use of Cloud Services
Objective: To specify and manage security for the use of cloud services (SaaS, PaaS, IaaS). (New in 2022)
| Requirement | Manual Evidence | Automated Evidence |
|---|---|---|
| Configuration Review | Manual screenshot of AWS/Azure console. | Automated capture of AWS Security Hub, Azure Policy, or SaaS security settings pages. |
| Shared Responsibility | Matrix document. | Screenshot of the cloud provider's compliance artifact (e.g., downloading AWS SOC 2 report from Artifact). |
| Admin Protection | Screenshot of MFA on root account. | Automated check and screenshot of IAM settings for cloud admin accounts. |
Where Traditional ISO 27001 Automation Stops
Most organizations rely on GRC platforms like Vanta, Drata, or Secureframe to manage their ISMS. While these tools are powerful for tracking which vendors you use, they often fall short on the operational evidence required for supplier controls.
The Automation Gap:
- Static vs. Dynamic: GRC tools are great at storing a static PDF (the vendor's SOC 2 report). They struggle to prove you reviewed it or that you are monitoring the vendor's real-time security posture.
- Custom Workflows: A.5.22 requires evidence of "monitoring and review." If your review process involves checking a dashboard in a proprietary portal or discussing performance in a Slack channel, GRC API integrations cannot capture that context.
- Cloud Configuration Nuance: For A.5.23, APIs can check if "CloudTrail is on," but they cannot easily capture the visual context of a security group rule that explains why a specific port is open for a supplier integration.
Solution: Evidence automation tools like Screenata fill this gap by "watching" the review process. Instead of just uploading a document, an AI agent records the screen as you navigate the vendor's status page or your internal review ticket, generating a timestamped, verifiable record of the activity.
How to Automate Supplier Security Evidence Collection
To fully automate evidence for A.5.19–A.5.23, implement a workflow that captures the lifecycle of a supplier relationship, from onboarding to monitoring.
Step 1: Automate the Inventory (A.5.19)
Connect your Identity Provider (Okta, Google Workspace) to your compliance tool. This automatically generates your "Supplier Inventory" by listing every application your employees sign into.
- Evidence: Automated list export.
Step 2: Record the Risk Assessment (A.5.19 / A.5.21)
When you perform a risk assessment for a high-risk vendor (e.g., a new payroll provider), use a workflow recorder.
- Action: Record the screen as you review the vendor's security questionnaire responses and assign a risk score in your VRM tool.
- Automation: The tool captures screenshots of the critical "High Risk" flags and the final approval click.
- Output: A PDF summarizing the assessment logic and approval timestamp.
Step 3: Schedule Cloud Security Reviews (A.5.23)
Set up a recurring automated task to capture the security posture of your critical cloud services.
- Action: An AI agent logs into the AWS/Azure/GCP console (read-only).
- Automation: It navigates to the "Security Hub" or "Advisor" dashboard and takes a screenshot of the compliance score and critical alerts list.
- Output: A monthly "Cloud Security Posture" evidence pack, proving active monitoring required by A.5.23.
Step 4: Automate Vendor Offboarding Evidence (A.5.22)
When a contract ends, the offboarding process is critical evidence.
- Action: Trigger a workflow when a vendor is marked "Inactive."
- Automation: The system captures screenshots verifying that:
- Data was exported/deleted.
- Vendor accounts were disabled in the IdP.
- VPN keys were revoked.
- Output: A "Vendor Termination Evidence" pack.
Example: Automating Control A.5.23 (Cloud Services)
Control Objective: Ensure information security for the use of cloud services is managed effectively.
Scenario: Your organization uses AWS for infrastructure and Salesforce for CRM. The auditor asks, "Show me evidence that you review the security configurations of these services regularly."
Manual Process:
- Log into AWS Console.
- Go to IAM > Account Settings.
- Take screenshot.
- Log into Salesforce Setup.
- Go to Security > Health Check.
- Take screenshot.
- Paste into Word, add dates, sign off.
Automated Process with Screenata:
- Configuration: Configure the "Cloud Review" agent with read-only access to AWS and Salesforce.
- Execution: On the 1st of every month, the agent runs automatically.
- Capture:
- AWS: Screenshots AWS Security Hub score and IAM Password Policy page.
- Salesforce: Screenshots the "Security Health Check" score (e.g., 90%).
- Result: A PDF named
A.5.23_Cloud_Security_Review_Jan2026.pdfis generated and uploaded to your ISMS evidence folder.
Frequently Asked Questions
What is the difference between A.5.19 and A.5.21?
A.5.19 focuses on the relationship and contractual aspects with the supplier (policies, agreements, onboarding). A.5.21 (ICT Supply Chain) specifically targets the technology risks—software dependencies, hardware components, and the risk of compromised code or equipment entering your environment.
Do I need evidence for every single SaaS tool?
ISO 27001 applies a risk-based approach. You generally need rigorous evidence (risk assessments, regular monitoring) for critical suppliers—those that process PII, hold intellectual property, or are essential for business continuity. For low-risk tools (e.g., a color palette generator), a simple inventory listing is often sufficient.
Can I just use the vendor's SOC 2 report as evidence?
The SOC 2 report itself is evidence that the vendor has controls. However, for A.5.22 (Monitoring and Review), you need evidence that you read and reviewed that report. A screenshot of a "Review Completed" ticket or a documented risk acceptance form attached to the SOC 2 report is the actual evidence required.
How does ISO 27001:2022 change supplier management?
The 2022 update introduced A.5.23 (Cloud Services) as a distinct control, acknowledging that "cloud providers" function differently than traditional "suppliers." It requires specific processes for acquisition, use, management, and exit from cloud services, necessitating distinct evidence from standard vendor contracts.
Key Takeaways
- ✅ A.5.19–A.5.23 covers the entire supplier lifecycle, from selection to exit.
- ✅ A.5.23 is a critical new control requiring specific evidence for cloud service security configurations.
- ✅ GRC tools manage the inventory but often miss the operational evidence of monitoring and review.
- ✅ Automation can capture screenshots of cloud dashboards (AWS, Salesforce) to prove active management without manual screenshots.
- ✅ Consistency is vital; automated agents ensure reviews are documented on a strict schedule (e.g., quarterly), preventing audit findings due to missed checks.
Learn More About ISO 27001 Certification Evidence Automation
For a comprehensive overview of how to streamline your entire certification journey, see our guide on automating ISO 27001 evidence collection, including detailed strategies for Stage 1 and Stage 2 audit preparation.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.