Identify Suppliers in Cyber Supply Chain
Ensure all suppliers linked to IT and OT systems are identified for security management.
Plain language
This control is about knowing exactly who your suppliers are when it comes to your IT and operational technology systems. Knowing your suppliers is crucial because if you don't, you might be blindsided by vulnerabilities in the softwares or machines you rely on. This can lead to system failures, data breaches, or disruptions in service, costing your business time, money, and reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Suppliers of operating systems, applications, IT equipment, OT equipment and services associated with systems are identified.
Why it matters
Failure to identify all suppliers can lead to unassessed risks from third-party vulnerabilities, potentially causing breaches and operational disruptions.
Operational notes
Maintain an up-to-date register of all OS, application, IT/OT equipment and service suppliers supporting each system; review changes on procurement and renewals.
Implementation tips
- The office manager should create a comprehensive list of all current suppliers who provide software, hardware, and other IT services. Start by gathering contracts, invoices, and any documentation from past purchases to ensure no supplier is missed.
- The IT team should verify each supplier's role and the systems they are connected to. They can do this by reviewing system configurations and talking to staff responsible for different technologies to see where these products are used.
- Procurement officers should vet any new suppliers before onboarding them. They should check each potential supplier’s cyber security practices, such as how they protect data and whether they routinely update and patch their software.
- HR should provide ongoing training for staff to understand the importance of vetting suppliers and recognising potential risks associated with third-party partnerships.
- The manager should organise regular reviews with the IT team and procurement to update and re-evaluate the supplier list. This could be done quarterly to ensure the company is aware of any changes in supplier security postures.
Audit / evidence tips
- AskThe master supplier list: Request a document listing all suppliers linked to IT and OT systems GoodShows a complete and up-to-date list with clear indications of their involvement in the organisation's systems
- AskSupplier vetting criteria GoodIncludes evidence of security checks, such as assessments of their data protection measures
- AskTo see supplier contracts: Review contracts for clauses on data protection, updating of software, and breach notification GoodIs contracts that include specific terms outlining the supplier's security responsibilities
- AskRecent meeting minutes between procurement and IT GoodIs documented evidence of regular reviews and decisions made regarding supplier management
- AskStaff cyber security awareness training records GoodIncludes agendas or attendance records from sessions focusing on third-party risk management
Cross-framework mappings
How ISM-1631 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.19 | Annex A 5.19 requires organisations to manage information security risks associated with using supplier products or services through defi... | |
| extension Depends on (3) expand_less | ||
| Annex A 5.20 | ISM-1631 requires organisations to identify suppliers linked to operating systems, applications, IT/OT equipment and services associated ... | |
| Annex A 5.21 | ISM-1631 requires organisations to identify all suppliers associated with systems (e.g | |
| Annex A 5.22 | ISM-1631 requires organisations to identify all relevant suppliers in the cyber supply chain for systems and services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.