Avoid High-Risk Suppliers in Cyber Supply Chain
Suppliers considered high risk are not chosen to ensure the security of the supply chain.
Plain language
This control is about not choosing suppliers who might pose a risk to the cybersecurity of your business. Imagine if you bought a lock for your front door from someone you know makes weak locks – you’d be leaving your house exposed to break-ins. In the same way, using high-risk suppliers can leave your business open to cyber attacks, data theft, or other serious problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Suppliers identified as high risk by a cyber supply chain risk assessment are not used.
Why it matters
Using suppliers assessed as high risk can introduce supply chain compromise, leading to breaches, outages and loss of customer trust.
Operational notes
Perform and document cyber supply chain risk assessments, and exclude suppliers rated high risk; reassess regularly and on major supplier changes.
Implementation tips
- Procurement officers should verify the security credentials of potential suppliers. Start by asking the suppliers to provide their cybersecurity policies and any security certifications they have. This will help assess whether they align with your organisation’s security needs.
- Risk management teams should conduct a thorough risk assessment of all suppliers. Use a standard checklist to evaluate their security posture, such as their history of data breaches and measures they take to protect data. Consider using third-party services for an impartial assessment.
- IT managers should establish clear criteria for what constitutes a high-risk supplier. Collaborate with cybersecurity experts to define these criteria based on factors like supplier access to sensitive data and their past security incidents.
- Business owners and managers should hold regular meetings to review and update the supplier risk assessments. Make sure to involve key stakeholders, including IT and procurement, to discuss any changes in supplier risk status and update strategies accordingly.
- The legal team should review contracts with suppliers to ensure clauses are included that require compliance with your security standards. This can include termination clauses if suppliers fail to meet these standards or are identified as high risk.
Audit / evidence tips
-
Askthe supplier risk assessment report: Request a document detailing how each supplier has been evaluated for their risk level
Goodwill include a comprehensive and up-to-date supplier assessment report highlighting any identified risks
-
Asksuppliers to provide copies of their security certifications like ISO/IEC 27001
Goodwill show that the supplier possesses valid and current certifications
-
Askto see supplier contracts: Examine contracts for clauses concerning cybersecurity compliance and risk management
Goodcontract will include specific language addressing security expectations and contingency measures
-
Askmeeting records where supplier risks were discussed: Review minutes from meetings where supplier risk management was on the agenda
Goodrecord will show thoughtful engagement with the topic and planned remediation actions
-
Goodindicates that steps were taken based on unreliable or non-compliant suppliers being identified and that actions were documented
Cross-framework mappings
How ISM-1567 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1567 requires organisations to avoid using suppliers that have been assessed as high risk in the cyber supply chain | |
| Annex A 5.21 | ISM-1567 requires that suppliers identified as high risk through a cyber supply chain risk assessment are not used | |
| handshake Supports (1) expand_less | ||
| Annex A 5.22 | ISM-1567 requires that suppliers deemed high risk by a cyber supply chain risk assessment are not used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.