Ensure Secure Procurement from Reliable Suppliers
Buy technology from suppliers known for keeping their systems secure.
Plain language
This control is about buying technology, like computers and software, from suppliers known for having good security. This is important because if these suppliers aren't secure themselves, your business could end up with vulnerable products that hackers could exploit, leading to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Operating systems, applications, IT equipment, OT equipment and services are procured from suppliers that have a strong track record of maintaining the security of their own systems.
Why it matters
Purchasing from insecure suppliers risks receiving compromised technology, which can lead to data breaches or operational disruptions.
Operational notes
Periodically assess suppliers’ security posture, incident history and assurance evidence (e.g., audits) before purchase and renewal to reduce supply-chain compromise risk.
Implementation tips
- Procurement staff should research suppliers before making a purchase. They can do this by looking for supplier reviews, checking for security certifications, and asking for references from other customers. This will help ensure the supplier has a good reputation for security.
- IT teams should verify that suppliers adhere to security standards. This can be done by requesting documentation of their security practices, such as compliance with ISO/IEC 27001, which is an international standard for information security.
- Managers should incorporate security criteria into the procurement process. They can achieve this by adding specific security requirements into supplier agreements and contracts, ensuring suppliers commit to these standards.
- HR should ensure staff involved in procurement are trained on identifying secure suppliers. This can involve organising workshops or online training sessions that explain what to look for in a secure supplier.
- Board members should regularly review procurement policies to ensure they emphasise secure sourcing. This might include setting up annual reviews of procurement practices to align with emerging security threats and industry best practices.
Audit / evidence tips
-
Askprocurement records of recent technology purchases
Goodis having documented proof of supplier evaluations and security certifications
-
Goodwill show comprehensive risk assessments and decision documents
-
Asktraining records of staff involved in procurement
Goodincludes detailed records of training topics and attendance
-
Goodwill include contractual security obligations with clear terms
-
Askmeeting notes or records from security review meetings with suppliers
Goodincludes clear records of meetings and documented resolutions
Cross-framework mappings
How ISM-1632 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1632 requires organisations to procure operating systems, applications, equipment and services from suppliers with a strong track rec... | |
| Annex A 5.21 | ISM-1632 requires organisations to procure ICT/OT products and services from suppliers with a proven ability to maintain the security of ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.