Limit Network Documentation for Third Parties
When sharing network details, only provide what's needed for others to fulfill their contracts.
Plain language
Only share network details with third parties that they absolutely need to do their job. This is important because giving away too much information can make your systems vulnerable to security breaches or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationTopic
Network DocumentationOfficial control statement
Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.
Why it matters
Over-sharing network diagrams, IP ranges, and access paths with third parties can enable targeted intrusion, raising breach and outage risk.
Operational notes
Before sharing with vendors/tenders, redact non-essential details (e.g., IP ranges, device names, trust links) and record approvals for released docs.
Implementation tips
- The IT manager should identify what network information third parties need for their tasks. Make a list of required details by consulting with the parties to ensure nothing unnecessary is included.
- Procurement teams should include a clause in contracts that limits the sharing of network information to only what's needed. Ensure all new contracts specify the minimal details third parties should receive.
- Managers overseeing projects with third party involvement should hold a briefing with their teams. Discuss exactly what network details are needed and document these discussions to avoid any unnecessary disclosures.
- Security officers should conduct a review of all network documentation before it is distributed. Check the documents to ensure they align with the agreed list of necessary details and remove any extraneous information.
- IT teams should keep a record of what network information has been shared and with whom. Use a simple tracking system to log each sharing instance, documenting the reasons and approvals for sharing the information.
Audit / evidence tips
-
Aska copy of the current contracts with third parties: Request documentation that details network information sharing terms
Goodincludes clear contractual language restricting network information to what is specifically needed
-
Askaccess to the network documentation sharing log: Request to see records of what network information has been shared and with whom
Goodwill have detailed logs with minimal entries and clear authorisations
-
Askabout the review process of network documentation: Request procedures showing how network documents are reviewed before sharing
Gooddemonstrates a robust review process involving a security officer's sign-off
-
Askcommunication records about briefings with teams: Request minutes or notes from meetings where network detail sharing was discussed
Goodincludes documented discussions with clear outcomes and responsible parties
-
Askabout the training materials for managing network information sharing: Request examples of training provided to staff on this topic
Goodincludes relevant, regular training materials that cover the importance of limiting information
Cross-framework mappings
How ISM-1178 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.14 | ISM-1178 requires that network documentation shared with third parties (including in public tenders) is limited to only what is necessary... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.20 | ISM-1178 requires limiting the amount of network documentation shared with third parties to what is necessary for contractual services | |
| handshake Supports (1) expand_less | ||
| Annex A 5.19 | ISM-1178 requires that network documentation provided to third parties is restricted to the minimum necessary for contractual delivery | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.