Ensure Data Portability in Service Agreements
Make sure contracts with providers include plans for data transfer, backup, and deletion without loss.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers.
Source: ASD Information Security Manual (ISM)
Plain language
When you use a service provider to store your data, you need to ensure you can access and move that data easily when needed. This is crucial because if your provider suddenly shuts down or if you want to change to a different provider, you could lose all your important information if these arrangements aren't in place.
Why it matters
Without contracted data portability (exportable formats and complete backups), organisations may lose data during migration or decommissioning, disrupting operations.
Operational notes
Before renewals or provider changes, confirm the contract specifies export formats, tooling, timelines and retention so backups, migration and decommissioning are lossless.
Implementation tips
- Business managers should ensure contracts with service providers include provisions for data portability. This means they should negotiate clauses that cover how data will be transferred, backed up, and deleted safely without losing it.
- The IT team should work with legal advisors to draft these data portability clauses in service agreements. They should clearly specify the formats in which data should be stored and transferred, ensuring it is easily accessible.
-
Ask: the providers directly about their process for data migration and secure deletion and request documentation proving their capabilities
- System owners should routinely review data portability practices with their providers. This means checking if the methods the provider uses are still effective and meet new or changing business needs.
- Data managers should test the data portability process periodically. They can do this by conducting 'mock' migrations to another system or storage solution to ensure that it works as expected without any data loss.
Audit / evidence tips
-
Ask: the service agreement or contract with your provider
Good: These clauses are clearly defined, feasible, and cover scenarios where data needs to be moved or deleted without loss
-
Good: Records exist showing successful data migrations or backups done in the last year without data loss
-
Ask: a demonstration of the provider's data export tools or methods
Good: The tools allow easy exportation of data in commonly used formats and are user-friendly
-
Good: Regular reviews are documented, and any recommended changes are actioned
-
Ask: the latest test results of the data portability or migration process
Good: Tests are conducted regularly and demonstrate that data can be moved or deleted as required without loss
Cross-framework mappings
How ISM-1574 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 5.14 | ISM-1574 requires contractual arrangements with service providers to document portable data storage arrangements that support backups, se... | |
| Annex A 8.10 | ISM-1574 requires service agreements to document how data can be migrated and decommissioned without loss, which typically includes speci... | |
| Supports (2) | ||
| Annex A 5.19 | ISM-1574 requires organisations to document data portability expectations (backup, migration, and decommissioning without data loss) in c... | |
| Annex A 8.13 | ISM-1574 requires supplier contracts to document portable storage arrangements that enable backups and restoration/migration without losi... | |