Verify Security Compliance in Service Contracts
Contracts with service providers must include clauses that allow security compliance checks.
Plain language
This control ensures that when you hire a service provider, your contract with them includes a clause that lets you check if they're doing their job securely. If you don't have this right, you might not be able to spot or fix problems when the provider's security fails, which could lead to data breaches or other serious issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The right to verify compliance with security requirements is documented in contractual arrangements with service providers.
Why it matters
Without a contractual right to verify/audit service providers, noncompliance may go undetected, increasing breach risk and legal exposure.
Operational notes
Ensure contracts explicitly grant rights to verify/audit security compliance (including evidence access). Schedule periodic audits and review attestations or reports.
Implementation tips
- Procurement officers should include a security compliance clause in all new service contracts. This clause should explicitly grant your organisation the right to conduct security checks or audits on the service provider's operations related to your services.
- Managers should communicate with current service providers to amend existing contracts. They need to discuss the importance of this clause for ensuring security and aim to get an agreement in writing.
- Legal teams should draft a standard compliance verification clause. This clause should clearly outline your organisation's right to audit, what kind of checks can be performed, and how often these audits can occur.
- IT and security teams should develop a checklist of security requirements for service providers. This list should cover the necessary technical and procedural standards that providers must adhere to and regularly review it to ensure it's up to date.
- Executive management should oversee the process to ensure that security checkpoints are in place for all service-based contracts. This might involve setting up periodic reviews to ensure contracts remain compliant over their duration.
Audit / evidence tips
-
Askcopies of contracts with service providers
Goodwill be clear language granting the organisation audit rights and specifying the frequency and scope of audits
-
Goodwill detail the necessity of such clauses in every service provider contract
-
Goodincludes dates, findings, remedial actions, and proof of completion
-
Askdescriptions of security training or awareness programmes for procurement teams
Goodwill show regular training sessions and include a focus on compliance
-
Goodwill be a comprehensive list showing all service providers with up-to-date compliance verification in their contracts
Cross-framework mappings
How ISM-1571 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1571 requires contractual arrangements to include the right for the organisation to verify a service provider’s compliance with secur... | |
| Annex A 5.20 | ISM-1571 requires that service provider contracts explicitly document the organisation’s right to verify the provider’s compliance with s... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.22 | ISM-1571 requires service provider contracts include a documented right for the organisation to verify compliance with security requirements | |
| Annex A 5.31 | Annex A 5.31 requires the organisation to identify and document contractual requirements relevant to information security and keep them u... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.