Ensure Provider Contracts for System Access
Service providers need a contract before accessing or managing your systems.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
An organisation's systems are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that before allowing a service provider to access or manage your organisation's systems, there must be a formal contract in place. This is important because without a contract, your business might be at risk of data breaches, misuse of systems, or unexpected costs if something goes wrong.
Why it matters
Without a contract, a provider may access/administer systems without defined security obligations, increasing breach and liability risk.
Operational notes
Require written contracts before provider system access, defining scope, security clauses, and offboarding; review regularly for changes.
Implementation tips
- Business owners should work with the procurement team to ensure any service providers have a written contract before they can access your systems. Clearly spell out the access permissions and responsibilities in the contract to avoid misunderstandings.
- Managers should maintain a central record of all service provider contracts related to system access. Use this record to track and verify that all necessary contracts are in place before any system access is granted.
- The IT team should verify that no external providers can access organisational systems without approval. Implement a procedure to check for the existence of a valid contract as part of the access request process.
- HR should collaborate with procurement to create standard clauses for contracts with service providers concerning system access. These clauses should cover responsibilities, security requirements, and data protection measures.
- System administrators should regularly review current system access logs and match them against the list of contracted providers. If any discrepancies are found, initiate a review of access controls and contract validity.
Audit / evidence tips
-
Ask: the register of all service provider contracts: Verify this document lists providers with access to systems, including contract dates and access details
Good: includes complete and up-to-date details for each service provider
-
Good: shows explicit permissions outlined for each provider
-
Ask: the organisation's access request procedure: Examine how access is granted to service providers and verify contractual confirmation is part of the process
Good: a documented procedure that mandates contract checks before access is granted
-
Good: confirms all access instances are by contracted service providers
-
Ask: a review schedule of service provider contracts: Check if regular reviews of these contracts are in place to ensure continuing accuracy and relevance
Good: includes well-documented, timely reviews with evidence of recent checks
Cross-framework mappings
How ISM-1073 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.19 | ISM-1073 mandates that service providers can access or administer organisational systems only when a contractual agreement is in place | |
| Partially overlaps (2) | ||
| Annex A 5.21 | ISM-1073 requires contracts for system access by service providers | |
| Annex A 5.22 | ISM-1073 emphasises contracts before a service provider can access organisational systems, aligning partially with ISO/IEC 27001:2022 Ann... | |