Monitoring, Review and Change Management of Supplier Services

It is an organizational control that mandates the regular monitoring, review, evaluation, and management of changes in supplier information security practices and service delivery to ensure continued compliance.

Implement by scheduling periodic reviews (e.g., annual), monitoring performance against SLAs/KPIs, reviewing audit reports (SOC 2/ISO), and tracking incidents or operational changes.

Auditors look for a Third-Party Management Policy, records of completed periodic Vendor Security Reviews, evidence of monitoring (e.g., SLA reports), and logs of any corrective actions taken with vendors. WatchDog Security's Compliance Center can map these artifacts to A.5.22, track completion status, and package evidence for audits without changing your underlying process.

Frequency should be based on risk; critical or high-risk suppliers are typically reviewed annually or upon significant change, while low-risk suppliers may be reviewed only at contract renewal.

The process should include notification requirements for changes (e.g., new sub-processors), a risk assessment of the change, approval workflows, and the option to terminate if the change introduces unacceptable risk.

Perform a targeted risk assessment to evaluate legal implications (e.g., GDPR transfer mechanisms), availability risks, and security gaps introduced by the new environment or sub-processor.

SLAs and KPIs provide objective metrics (e.g., 99.9% uptime, 24h patch time) to measure service delivery, making it easier to identify non-conformities and hold suppliers accountable.

Not necessarily; for most cloud/SaaS providers, reviewing independent third-party audit reports (like SOC 2 Type II or ISO 27001 certificates) is sufficient evidence of monitoring.

Log issues in a Nonconformity/Corrective Action Tracker, formally communicate them to the supplier, require a remediation plan, and verify closure before the next review cycle. WatchDog Security's Vendor Risk Management can link findings to the vendor record, assign owners and due dates, and maintain an audit trail of follow-up communications and closure.

A.5.21 focuses on the *ICT supply chain* integrity (software/hardware components and development security), while A.5.22 focuses on the ongoing *operational monitoring* of service delivery and business changes.

A.5.22 often fails when reviews live in spreadsheets and reminders, making it easy to miss due dates, SLA evidence, or follow-ups. WatchDog Security's Vendor Risk Management can centralize vendor records, risk-tiering, review cadences, and link SLA/KPI reports and review notes to each supplier for consistent, repeatable monitoring.

Even with a solid process, audits get painful when evidence is scattered across ticketing tools, shared drives, and email threads. WatchDog Security's Compliance Center can map required artifacts to A.5.22, track whether vendor reviews and corrective actions were completed, and assemble an audit-ready evidence set without changing the underlying review workflow.