ISM-0731 ASD Information Security Manual (ISM)

CISO Oversight of Cyber Supply Chain Risks

The CISO is responsible for managing risks in their organisation's cyber supply chain.

Proactive Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Governance Management responsibility Third party risk Supplier management ASD Information Security Manual Guidelines for cyber security roles

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Proactive

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Sept 2020

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for cyber security roles

Section

Chief information security officer

Topic

Working With Suppliers

Official control statement

The CISO oversees cyber supply chain risk management activities for their organisation.

Source: ASD Information Security Manual (ISM)

Plain language

The Chief Information Security Officer (CISO) needs to keep an eye on any risks that come from working with other companies or suppliers in relation to cyber security. This is really important because if a supplier has poor security, it can lead to stolen data, financial losses, or reputational harm to your organisation.

Why it matters

Without CISO oversight of supply chain risk, supplier weaknesses may go unmanaged, leading to breaches, data theft, and reputational and financial harm.

Operational notes

Have the CISO set a cadence for supplier risk reporting, approve risk acceptances, and ensure supply chain risk assessments are updated when vendors or services change.

Implementation tips

The CISO should identify key suppliers: Make a list of all the companies your organisation relies on for technology and data services. This includes companies that provide software, hardware, or data processing services.
Ask: potential suppliers how they secure their systems and data
The IT team should monitor supplier access: Keep track of any access to your systems that suppliers have. Set up alerts for unusual access patterns or changes in system access.
The management team should develop a risk management plan: Work with the CISO to create a plan that outlines how your organisation will handle potential security issues with suppliers. This plan should include steps for different scenarios, like a data breach.
Suppliers should be included in incident response exercises: Collaborate with suppliers during cyber security drills to ensure they know how to respond to incidents. This helps improve coordination in case of a real security event.

Audit / evidence tips

Ask: the list of key suppliers: Request the document that lists all suppliers important for your organisation’s IT services

Good: includes an up-to-date list with all suppliers' names, services, and contacts
Ask: supplier security assessments: Request reports or records of the security evaluations conducted on suppliers

Good: shows regular reviews with action points addressed
Ask: monitoring logs of supplier access: Request the logs that show how and when suppliers access your systems

Good: includes comprehensive logs with regular reviews and responses to any issues
Ask: to see the risk management plan for supplier-related risks: Request the document outlining your organisation’s approach to handling supplier risks

Good: includes a detailed plan with dates and responsible persons noted
Ask: to see records of incident response exercises involving suppliers: Request documentation that proves suppliers participate in incident response tests

Good: includes reports on completed exercises with supplier roles clearly defined

Cross-framework mappings

How ISM-0731 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (4)
Annex A 5.19	ISM-0731 requires the CISO to oversee the organisation’s cyber supply chain risk management activities
Annex A 5.20	ISM-0731 requires CISO oversight of cyber supply chain risk management across the organisation
Annex A 5.21	ISM-0731 requires the CISO to oversee cyber supply chain risk management activities for their organisation
Annex A 5.22	ISM-0731 requires CISO oversight of cyber supply chain risk management activities
Partially overlaps (1)
Annex A 8.30	Annex A 8.30 requires the organisation to direct, monitor and review outsourced system development activities so security is maintained w...