Ensuring Data Protection by Service Providers
Service providers must protect any entrusted data adequately.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services.
Source: ASD Information Security Manual (ISM)
Plain language
Service providers, like the companies that handle your data or host your website, need to keep your information safe. If they don’t, your data could be misused, lost, or fall into the wrong hands, causing harm to your business or personal reputation.
Why it matters
Inadequate data protection by service providers can lead to data breaches, damaging reputation and risking client trust and legal action.
Operational notes
Audit service providers and subcontractors (contracts, SLAs, attestations) to verify controls for handling, storage and disposal of your data meet requirements.
Implementation tips
- Managers should carefully choose service providers that have a strong reputation for data security. Research and compare options, and check customer reviews and independent security assessments before making a decision.
- The procurement team should include detailed data protection requirements in contracts with service providers. Specify security measures and responsibility for data breaches in the contract wording to ensure clarity and legal coverage.
- IT managers should regularly audit the service providers to ensure they are meeting the security requirements. This involves checking compliance with contractual obligations and requesting evidence of security practices.
-
Ask: your primary providers to share details on how their subcontractors are vetted for data protection
- Business decision-makers should set up regular meetings with service providers to discuss ongoing security improvements. This can be done quarterly to ensure any new threats or vulnerabilities are being proactively managed and addressed.
Audit / evidence tips
-
Ask: contract documents with service providers that include data protection clauses
Good: Contracts explicitly state the data protection measures and include penalties for non-compliance
-
Good: Evidence that providers have been reviewed within the last year and any issues have been addressed promptly
-
Ask: details on subcontractor management processes
Good: Documentation showing subcontractors comply with the same standards as primary providers
-
Good: Regular engagement documented with action points and follow-up on identified issues
-
Ask: security incident response plans involving service providers
Good: A clear, tested plan that includes roles, responsibilities, and steps for both internal and service provider teams
Cross-framework mappings
How ISM-1395 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| Annex A 5.19 | ISM-1395 requires that service providers (and subcontractors) provide an appropriate level of protection for entrusted data | |
| Annex A 5.22 | Annex A 5.22 requires monitoring and review of supplier security practices and service delivery, and managing changes affecting security | |
| Annex A 5.34 | ISM-1395 requires service providers to apply appropriate protection to data entrusted to them or their services | |
| Annex A 8.30 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development to ensure security requirements are met by extern... | |
| Supports (1) | ||
| Annex A 5.20 | ISM-1395 requires service providers and subcontractors to protect any data entrusted to them or their services at an appropriate level | |
| Related (1) | ||
| Annex A 5.21 | Annex A 5.21 requires management of information security risks associated with ICT products and services throughout the supply chain | |