Ensure Security in Contracts with Service Providers
Service contracts must include security measures for data protection and be regularly reviewed to ensure they're effective.
Plain language
This control is about making sure any contracts with external service providers include clear rules about how they must protect your data. It's important because if these rules aren't in place, a provider could mishandle your data, leading to privacy breaches, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose.
Why it matters
If security requirements aren’t written and reviewed in service provider contracts, data confidentiality, integrity and availability may be compromised, causing financial and reputational harm.
Operational notes
Regularly review and update provider contract security clauses (e.g., access controls, incident reporting, audit rights) to ensure they remain fit for purpose and are being met.
Implementation tips
- Procurement staff should include security clauses when drafting contracts with service providers. They can do this by working with a legal advisor to ensure that contracts have terms that require the provider to protect your data following standards like the Australian Signals Directorate (ASD) Essential Eight.
- Managers should ensure that contracts with service providers specify how often security reviews will occur. This can be done by including a clause that mandates regular security assessments and outlines the procedure for these assessments in the contract.
- System owners should regularly meet with the contracted service provider to review the effectiveness of the security measures stated in the contract. This can be achieved by scheduling quarterly meetings to discuss any security incidents, updates, and improvements.
- Legal teams should verify that all contracts are updated with new security requirements as technology and threats evolve. They can do this by setting a review date within each contract and collaborating with cybersecurity experts for necessary updates.
- The IT team should monitor the service provider's compliance with the contractual security measures. This can be achieved by setting up alerts or reports that flag any non-compliance or potential breaches and following up with the provider to resolve these issues.
Audit / evidence tips
- AskA copy of the full contract with the service provider GoodContract will include specific terms about data protection and an outlined process for regular security reviews
- AskTo see evidence of recent security assessments conducted according to the contract terms
- AskHow they track and enforce the security terms within provider contracts GoodWould include specific examples and dates of reviews or meetings
- GoodObservation would see regular updates and documentation showing contract amendments when necessary
Cross-framework mappings
How ISM-0072 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.19 | Annex A 5.19 requires organisations to define and implement processes to manage information security risks arising from supplier products... | |
| Annex A 5.36 | Annex A 5.36 requires organisations to regularly review compliance with information security policies, rules and standards | |
| Annex A 6.6 | Annex A 6.6 requires the organisation to identify, document, regularly review and obtain signed confidentiality or non-disclosure agreeme... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.14 | Annex A 5.14 requires organisations to define and apply rules/procedures/agreements for transferring information between the organisation... | |
| Annex A 5.32 | Annex A 5.32 requires the organisation to implement procedures to protect intellectual property rights, commonly including contractual co... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.22 | Annex A 5.22 requires monitoring, review and evaluation of supplier practices against expectations, and to manage changes | |
| link Related (2) expand_less | ||
| Annex A 5.20 | Annex A 5.20 requires information security requirements to be agreed with each supplier | |
| Annex A 5.21 | Annex A 5.21 requires processes and procedures to manage information security risks arising from ICT suppliers and service dependencies | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.2.2 | Annex A 6.2.2 requires documenting requirements for new AI systems or material enhancements, often including external services, data hand... | |
| handshake Supports (1) expand_less | ||
| Annex A 9.4 | Annex A 9.4 requires AI systems to be used according to intended use and documentation, including constraints relating to confidentiality... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.