Ensure Provider Contracts for System Access
Service providers need a contract before accessing or managing your systems.
Plain language
This control ensures that before allowing a service provider to access or manage your organisation's systems, there must be a formal contract in place. This is important because without a contract, your business might be at risk of data breaches, misuse of systems, or unexpected costs if something goes wrong.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
An organisation's systems are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
Why it matters
Without a contract, a provider may access/administer systems without defined security obligations, increasing breach and liability risk.
Operational notes
Require written contracts before provider system access, defining scope, security clauses, and offboarding; review regularly for changes.
Implementation tips
- Business owners should work with the procurement team to ensure any service providers have a written contract before they can access your systems. Clearly spell out the access permissions and responsibilities in the contract to avoid misunderstandings.
- Managers should maintain a central record of all service provider contracts related to system access. Use this record to track and verify that all necessary contracts are in place before any system access is granted.
- The IT team should verify that no external providers can access organisational systems without approval. Implement a procedure to check for the existence of a valid contract as part of the access request process.
- HR should collaborate with procurement to create standard clauses for contracts with service providers concerning system access. These clauses should cover responsibilities, security requirements, and data protection measures.
- System administrators should regularly review current system access logs and match them against the list of contracted providers. If any discrepancies are found, initiate a review of access controls and contract validity.
Audit / evidence tips
-
Askthe register of all service provider contracts: Verify this document lists providers with access to systems, including contract dates and access details
Goodincludes complete and up-to-date details for each service provider
-
Goodshows explicit permissions outlined for each provider
-
Askthe organisation's access request procedure: Examine how access is granted to service providers and verify contractual confirmation is part of the process
Gooda documented procedure that mandates contract checks before access is granted
-
Goodconfirms all access instances are by contracted service providers
-
Aska review schedule of service provider contracts: Check if regular reviews of these contracts are in place to ensure continuing accuracy and relevance
Goodincludes well-documented, timely reviews with evidence of recent checks
Cross-framework mappings
How ISM-1073 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.19 | ISM-1073 mandates that service providers can access or administer organisational systems only when a contractual agreement is in place | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.21 | ISM-1073 requires contracts for system access by service providers | |
| Annex A 5.22 | ISM-1073 emphasises contracts before a service provider can access organisational systems, aligning partially with ISO/IEC 27001:2022 Ann... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.