Ensuring Data Protection by Service Providers
Service providers must protect any entrusted data adequately.
Plain language
Service providers, like the companies that handle your data or host your website, need to keep your information safe. If they don’t, your data could be misused, lost, or fall into the wrong hands, causing harm to your business or personal reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services.
Why it matters
Inadequate data protection by service providers can lead to data breaches, damaging reputation and risking client trust and legal action.
Operational notes
Audit service providers and subcontractors (contracts, SLAs, attestations) to verify controls for handling, storage and disposal of your data meet requirements.
Implementation tips
- Managers should carefully choose service providers that have a strong reputation for data security. Research and compare options, and check customer reviews and independent security assessments before making a decision.
- The procurement team should include detailed data protection requirements in contracts with service providers. Specify security measures and responsibility for data breaches in the contract wording to ensure clarity and legal coverage.
- IT managers should regularly audit the service providers to ensure they are meeting the security requirements. This involves checking compliance with contractual obligations and requesting evidence of security practices.
-
Askyour primary providers to share details on how their subcontractors are vetted for data protection
- Business decision-makers should set up regular meetings with service providers to discuss ongoing security improvements. This can be done quarterly to ensure any new threats or vulnerabilities are being proactively managed and addressed.
Audit / evidence tips
-
Askcontract documents with service providers that include data protection clauses
GoodContracts explicitly state the data protection measures and include penalties for non-compliance
-
GoodEvidence that providers have been reviewed within the last year and any issues have been addressed promptly
-
Askdetails on subcontractor management processes
GoodDocumentation showing subcontractors comply with the same standards as primary providers
-
GoodRegular engagement documented with action points and follow-up on identified issues
-
Asksecurity incident response plans involving service providers
GoodA clear, tested plan that includes roles, responsibilities, and steps for both internal and service provider teams
Cross-framework mappings
How ISM-1395 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.19 | ISM-1395 requires that service providers (and subcontractors) provide an appropriate level of protection for entrusted data | |
| Annex A 5.22 | Annex A 5.22 requires monitoring and review of supplier security practices and service delivery, and managing changes affecting security | |
| Annex A 5.34 | ISM-1395 requires service providers to apply appropriate protection to data entrusted to them or their services | |
| Annex A 8.30 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development to ensure security requirements are met by extern... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.20 | ISM-1395 requires service providers and subcontractors to protect any data entrusted to them or their services at an appropriate level | |
| link Related (1) expand_less | ||
| Annex A 5.21 | Annex A 5.21 requires management of information security risks associated with ICT products and services throughout the supply chain | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.