Establish Shared Responsibility Model for Supply Chain
Suppliers and customers must document and share security duties to understand who is responsible for what.
Plain language
This control is all about making sure everyone knows who is in charge of what when it comes to security. By clearly setting out each party's responsibilities between suppliers and customers, you prevent confusion. If it's not done, things can fall through the cracks, leaving your sensitive information exposed and putting your business at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A shared responsibility model is created, documented and shared between suppliers and their customers in order to articulate the security responsibilities of each party.
Why it matters
Without a clear shared responsibility model, accountability gaps can lead to security breaches and data loss across the supply chain.
Operational notes
Regularly review and update supplier/customer responsibility boundaries to keep obligations clear as roles and services change.
Implementation tips
- Procurement should collaborate with the supplier to draft a document that clearly outlines security responsibilities. This involves listing all tasks and identifying who will handle each one. Meeting regularly to update this document ensures that any changes in responsibilities are captured.
- The IT manager should work with suppliers to establish security requirements at the start of the contract. This means agreeing on who will implement antivirus software, handle updates, and respond to any security threats. This agreement should be written down and shared with both sides.
- Managers should ensure that all employees understand the shared security responsibilities through a briefing session. They can arrange small workshops or seminars and provide printed or online materials to make it clear who does what.
- The legal team should review contracts to ensure clarity in security responsibilities before finalising deals. This process should include clauses that specify security duties, highlighting any shared tasks or individual responsibilities.
- Risk management teams should regularly review and update the shared responsibility document. Conduct an assessment of past security incidents to see if responsibilities need adjusting, ensuring that both parties remain protected against new and existing threats.
Audit / evidence tips
-
Askthe shared responsibility agreement document: Request written proof of the security responsibilities documented between the supplier and customer
Goodagreement is up-to-date, with signatures from both parties, and lists who is responsible for each security measure
-
Aska list of current contacts for security responsibilities: Request the document that provides names and roles of those in charge on both sides. Check that each role has a contact person listed with contact details and an alternate where applicable
Goodlist will be current, detailed, and includes a plan for absence cover
-
Askdocumented examples of how incidents were addressed under the shared responsibility model
-
Askthe legal review of contracts regarding security duties: Request evidence that the legal team endorses the shared responsibility model. Assess if contracts specify duties and have necessary signatures. Good documents are legally sound with acknowledgements from both supplier and customer
Cross-framework mappings
How ISM-1569 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.19 | ISM-1569 requires a documented and shared shared-responsibility model between supplier and customer to clearly assign security responsibi... | |
| Annex A 5.20 | ISM-1569 requires a documented and shared shared-responsibility model so both parties understand their respective security duties | |
| Annex A 6.5 | Annex A 6.5 requires ongoing information security obligations to be defined, enforced and communicated when employment terminates or role... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.