Assess Supply Chain Risks for IT and OT Suppliers
Evaluate the risk suppliers pose to system security for IT and OT products and services.
Plain language
This control is about understanding and managing the risks that suppliers of IT and operational technology (OT) can pose to your business. It matters because if a supplier has weak security, it could lead to hackers gaining access to your systems, causing data breaches or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A supply chain risk assessment is performed for suppliers of operating systems, applications, IT equipment, OT equipment and services in order to assess the impact to a system's security risk profile.
Why it matters
Failing to assess IT/OT supplier risks increases exposure to compromised software, hardware or services, enabling breaches and outages.
Operational notes
Perform and document supplier risk assessments (OS/apps/IT/OT equipment/services), including vendor questionnaires, attestations, and incident history reviews.
Implementation tips
- Procurement team should assess suppliers before purchase: Evaluate a supplier’s security practices by requesting information about their cybersecurity measures and history of security incidents. This can be done by including security questionnaires and references in the procurement process.
- IT manager should create a supplier risk register: List all suppliers of IT and OT products and services, logging any known risks or security incidents associated with them. Use this register to regularly assess and update the risk levels based on new information or changes in relationship.
- Senior managers should hold regular review meetings: Organise quarterly meetings with IT and procurement teams to review the supplier risk register, assess the potential impact on business operations, and decide on actions to mitigate identified risks.
-
Asksuppliers to demonstrate their compliance with recognised standards, such as ISO 27001, by providing certificates or audit reports as part of the contract requirements
- IT security staff should monitor supplier activities: Set up alerts for unusual activities in systems linked to external suppliers. This could involve using network monitoring tools to track traffic from supplier systems and quickly respond to any anomalies.
Audit / evidence tips
-
Askthe supplier risk assessment report: Request documentation that details how supplier risks have been assessed
Goodwill feature detailed assessments with justifications for each risk level
-
Askto see contracts with suppliers: Obtain copies of current contracts with major IT and OT suppliers
Goodincludes specific security obligations outlined in the contracts
-
Askthe supplier review meeting notes: Request records of review meetings held about suppliers
-
Askcompliance certificates: Request proof of compliance to standards from key suppliers
Goodshows current and relevant compliance certificates for security standards, such as ISO 27001
-
Askincident response procedures related to suppliers: Request a document or policy that describes how security incidents involving suppliers are handled
Goodwill include clearly defined processes and recent examples of incidents and actions taken
Cross-framework mappings
How ISM-1452 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.19 | ISM-1452 requires organisations to perform supply chain risk assessments across suppliers of operating systems, applications, IT/OT equip... | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.22 | Annex A 5.22 requires the organisation to regularly monitor, review and evaluate supplier information security practices and service deli... | |
| Annex A 8.30 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development, which inherently involves managing third-party d... | |
| link Related (1) expand_less | ||
| Annex A 5.21 | ISM-1452 requires a supply chain risk assessment for suppliers of operating systems, applications, IT/OT equipment and services to determ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML1.5 | E8-MF-ML1.5 mandates MFA for third-party online services with sensitive data to prevent unauthorised access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.