Which ISO 27001 controls does Thorgate support?

A.5.19 (Information security in supplier relationships), A.5.20 (Addressing information security within supplier agreements), A.5.21 (Managing information security in the ICT supply chain), and A.5.22 (Monitoring, review and change management of supplier services).

How does Thorgate help with A.5.22 specifically?

A.5.22 requires monitoring of supplier services and managing changes to them. Thorgate produces continuous evidence per supplier — current document versions, change events, last-reviewed timestamps — exactly what auditors expect to see for this control.

ISO 27001:2022

Supplier-document monitoring for Annex A.5.19 – A.5.22.

The 2022 revision's supplier-relationships controls expect continuous monitoring of supplier services and managed change in the ICT supply chain. Thorgate produces the documentation half of that obligation automatically.

Start a 14-day trial → See pricing

The Annex A.5.19 – A.5.22 controls

ISO/IEC 27001:2022 reorganized the older Annex A.15 controls into a four-control supplier-relationships group:

A.5.19 — Information security in supplier relationships. Define and apply processes to manage information security risks in supplier use.
A.5.20 — Addressing information security within supplier agreements. Document security requirements with each supplier and obtain agreement.
A.5.21 — Managing information security in the ICT supply chain. Cover risk across ICT product / service supply, including subcontractors.
A.5.22 — Monitoring, review and change management of supplier services. Regularly monitor, review, evaluate, and manage change in supplier service delivery.

A.5.22 is the operational one — and the one Thorgate maps to most directly.

How Thorgate evidences each control

A.5.19 evidence: a per-supplier register showing which suppliers are tracked, what documents are monitored for each, and what changes occurred in the observation window.

A.5.20 evidence: the current version of each supplier's DPA and security commitments, with a version history that proves which terms were in force at any given point.

A.5.21 evidence: subprocessor lists captured and versioned per supplier, with change events when subprocessors are added or removed — addressing supply-chain visibility.

A.5.22 evidence: continuous monitoring of supplier services, AI-summarized change events, severity classification, and reviewer attestations — exactly the artefact this control expects.

What auditors typically ask

"How do you know your subprocessor list for supplier X is current?" — show the version-history timeline.
"What changed in your tier-1 suppliers' DPAs this year?" — filter the change feed to the supplier set, export as CSV.
"Who reviewed the November change to vendor X's privacy policy?" — show the timestamped review attestation.
"How do you monitor supplier service changes between annual reviews?" — Thorgate's daily monitoring + alert thresholds are that monitoring.

Where Thorgate doesn't fit

Thorgate doesn't manage supplier onboarding workflows, security questionnaires, or contract repositories — those typically belong in your GRC platform or vendor management tool. If you don't have those covered, Thorgate alone won't satisfy A.5.19-A.5.22; it's specifically the document-monitoring layer of the control stack.

FAQ

Does Thorgate help with the older ISO 27001:2013 Annex A.15 controls?

Yes — A.15.1 (Information security in supplier relationships) and A.15.2 (Supplier service delivery management) map cleanly to the same Thorgate evidence outputs as the 2022 revision's A.5.19-A.5.22.

Will Thorgate help us get ISO 27001 certified?

Not by itself — certification requires a full ISMS. Thorgate produces the operational evidence for one control group. Pair with your ISMS and audit toolset.

Is Thorgate itself ISO 27001 certified?

Not yet. Current security posture is on the Security page.

Try it

14-day free trial, no credit card. Start a trial or read the full FAQ.