Ensure Data Portability in Service Agreements
Make sure contracts with providers include plans for data transfer, backup, and deletion without loss.
Plain language
When you use a service provider to store your data, you need to ensure you can access and move that data easily when needed. This is crucial because if your provider suddenly shuts down or if you want to change to a different provider, you could lose all your important information if these arrangements aren't in place.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers.
Why it matters
Without contracted data portability (exportable formats and complete backups), organisations may lose data during migration or decommissioning, disrupting operations.
Operational notes
Before renewals or provider changes, confirm the contract specifies export formats, tooling, timelines and retention so backups, migration and decommissioning are lossless.
Implementation tips
- Business managers should ensure contracts with service providers include provisions for data portability. This means they should negotiate clauses that cover how data will be transferred, backed up, and deleted safely without losing it.
- The IT team should work with legal advisors to draft these data portability clauses in service agreements. They should clearly specify the formats in which data should be stored and transferred, ensuring it is easily accessible.
-
Askthe providers directly about their process for data migration and secure deletion and request documentation proving their capabilities
- System owners should routinely review data portability practices with their providers. This means checking if the methods the provider uses are still effective and meet new or changing business needs.
- Data managers should test the data portability process periodically. They can do this by conducting 'mock' migrations to another system or storage solution to ensure that it works as expected without any data loss.
Audit / evidence tips
-
Askthe service agreement or contract with your provider
GoodThese clauses are clearly defined, feasible, and cover scenarios where data needs to be moved or deleted without loss
-
GoodRecords exist showing successful data migrations or backups done in the last year without data loss
-
Aska demonstration of the provider's data export tools or methods
GoodThe tools allow easy exportation of data in commonly used formats and are user-friendly
-
GoodRegular reviews are documented, and any recommended changes are actioned
-
Askthe latest test results of the data portability or migration process
GoodTests are conducted regularly and demonstrate that data can be moved or deleted as required without loss
Cross-framework mappings
How ISM-1574 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.14 | ISM-1574 requires contractual arrangements with service providers to document portable data storage arrangements that support backups, se... | |
| Annex A 8.10 | ISM-1574 requires service agreements to document how data can be migrated and decommissioned without loss, which typically includes speci... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.19 | ISM-1574 requires organisations to document data portability expectations (backup, migration, and decommissioning without data loss) in c... | |
| Annex A 8.13 | ISM-1574 requires supplier contracts to document portable storage arrangements that enable backups and restoration/migration without losi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.