Ensure Security Commitment from Suppliers
Buy IT and OT products only from suppliers who show they care about product security.
Plain language
This control means that when you buy technology products or services, you should only choose suppliers who show they prioritise the security of what they sell. This is important because if the suppliers don't care about security, their products might be more vulnerable to hacking. If something goes wrong, it could cost your business time, money, or even your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Operating systems, applications, IT equipment, OT equipment and services are procured from suppliers that have demonstrated a commitment to the security of their products and services.
Why it matters
Procurement from lax suppliers can introduce vulnerable products into your network, increasing the risk of costly breaches and reputation damage.
Operational notes
Vet supplier security commitments via questionnaires, certifications and audit evidence before purchase, and re-assess key suppliers regularly to confirm secure development and support practices.
Implementation tips
- Procurement officers should identify suppliers who are committed to security. They can do this by looking for suppliers who have security certifications or who are known to follow best industry practices. This can be done by checking supplier websites or asking directly for any security-related certifications or standards they comply with.
- Managers should establish a pre-qualification process for suppliers. This involves setting criteria that suppliers must meet to be considered, such as having security policies in place and a track record of handling data responsibly. Managers can create a checklist that assesses these elements and ensure it is checked before finalising any purchase.
- The IT team should review the security features of products before they are purchased. This involves looking at technical specifications provided by suppliers and ensuring they meet the organisation's security needs. They can also ask suppliers about any recent security audits or vulnerabilities that have been uncovered and addressed.
- Purchasing staff should seek out recommendations and reviews from other customers. By contacting other businesses or reading reviews that focus on product security, the purchasing team can identify any recurring issues with security in a supplier's products. This can be done via online forums or through networking at industry events.
- Leadership should periodically review supplier performance and their commitment to security. This includes setting regular meetings to discuss supplier security and requiring suppliers to report on their ongoing security improvements. This ensures that the relationship with suppliers is continually assessed and that they stay committed to security.
Audit / evidence tips
-
Askthe supplier's security certifications or standards compliance document
Goodwill show current certifications from recognised bodies such as ISO or NIST
-
Gooda detailed list with specific security consideration points for each supplier
-
Askrecords of the latest product security review conducted by the IT team
Goodis a detailed report showing thorough assessments and any actions taken as a result
-
Goodincludes multiple instances of peer businesses vouching for the security of the supplier's products
-
Askto see records of periodic supplier performance evaluations
Goodincludes recent evaluations with clear improvement actions agreed upon between the organisation and the supplier
Cross-framework mappings
How ISM-1568 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.21 | ISM-1568 requires organisations to procure operating systems, applications, IT/OT equipment and services from suppliers that have demonst... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.20 | ISM-1568 requires organisations to buy IT/OT products and services only from suppliers that can demonstrate a commitment to security | |
| handshake Supports (1) expand_less | ||
| Annex A 8.26 | ISM-1568 requires organisations to procure applications and technology from suppliers that demonstrate a commitment to secure products an... | |
| link Related (1) expand_less | ||
| Annex A 5.19 | Annex A 5.19 requires processes and procedures to manage information security risks associated with suppliers’ products and services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.