Document Service Provider Data Handling and Change Notifications
Ensure service contracts specify data regions and notify configuration changes ahead of time.
Plain language
This control ensures that when you use an external service for things like document storage or processing, you know exactly where your data is being kept and that any changes to how this service is configured are communicated to you in advance. This is crucial because if changes occur without your knowledge or if your data is stored in places with weak privacy laws, your business could be at risk of data breaches or legal issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The regions or availability zones where data will be processed, stored and communicated, as well as a minimum notification period for any configuration changes, is documented in contractual arrangements with service providers.
Why it matters
Without documented regions/availability zones and change notice periods in contracts, data may be processed in unsuitable jurisdictions and provider changes may disrupt services without warning.
Operational notes
Ensure provider contracts explicitly state processing/storage/communication regions or availability zones and a minimum notice period for configuration changes; review on renewal and track change notices.
Implementation tips
-
Look atclauses in the contract that specify data regions or availability zones, and ensure that the service provider commits to these locations in writing
- The IT manager should set up a system to receive and track notifications from service providers about any configuration changes. Establish a clear point of contact within your organisation to receive these notifications and ensure they are communicated to relevant staff in a timely manner.
- The legal or compliance officer should review all contracts to ensure they contain a requirement for advance notice of any configuration changes. Ensure that this period is realistic and provides enough time for your organisation to assess the impact of the changes.
- System administrators should continuously monitor the compliance of service providers with the agreed contractual terms regarding data location and configuration changes. Use regular check-ins or automated alerts to verify that data remains in agreed regions.
- Communicate with your internal teams about the locations where your data is stored and any potential upcoming changes. This can be done through regular meetings or updates, ensuring all key staff understand the implications of any changes in service provider configurations.
Audit / evidence tips
-
Askthe service contract documents: Request current agreements and terms of service with each provider
Goodcontract clearly outlines these regions and includes a clause for advance notice of changes
-
Askrecords of notifications received from service providers in the past year: Examine the notification logs or emails
Goodrecord should show that notifications were received well before changes took effect
-
Askmeeting minutes where data location and configuration change notices were discussed: Check the frequency and content of these meetings
Goodmeeting record indicates regular review and understanding of contracted data locations and any incoming changes
-
Askto see the monitoring reports from system administrators: Examine the logs or reports for evidence of ongoing data location monitoring
Goodreport contains regular checks against contract terms, including automated alerts for unauthorized changes
-
Askstaff training records related to data handling and service provider management: Inspect these records to ensure all relevant staff are aware of data location issues and change notification processes. A comprehensive training record shows regular and targeted training sessions
Cross-framework mappings
How ISM-1572 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1572 requires contractual arrangements with service providers to document the regions/availability zones where data is processed, sto... | |
| Annex A 5.20 | ISM-1572 requires explicit supplier contract terms for data handling locations (regions/availability zones) and minimum advance notice fo... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires network service requirements and service levels to be identified and monitored so services meet agreed standards | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.