Maintain a Register for Managed Services
Organisations must regularly keep and update a list of managed services.
Plain language
Organisations need to keep an up-to-date list of all their managed services, like IT or security services that are handled by outside companies. This is important because it helps keep track of who is responsible for what, reducing the risk of data breaches or other security issues slipping through the cracks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
Managed ServicesOfficial control statement
A managed service register is developed, implemented, maintained and verified on a regular basis.
Why it matters
Without an up-to-date managed service register, responsibilities and service boundaries become unclear, leading to unmanaged changes, service lapses and security breaches.
Operational notes
Verify the managed service register regularly; keep provider, contract and service details current; assign service owners; and set review dates to confirm entries remain accurate.
Implementation tips
- The IT manager should create and maintain a register of all currently used managed services. This involves listing each service provider, the services they deliver, and any associated contracts or service agreements.
- The procurement team should regularly check and update the list of managed services. They can do this by reviewing purchase orders and contracts to ensure all services are properly documented.
- The finance team should verify that payments align with the listed services in the managed service register. This involves cross-checking invoices against the register to confirm all services are accounted for and budgeted correctly.
- The compliance officer should conduct quarterly reviews of the managed service register. This involves meeting with the IT team to go over any changes, updates, or new services that need recording.
- The executive team should periodically get briefed on the state of the managed services register. This could be in the form of a summary report that highlights key changes or areas of concern, ensuring they are aware of all outsourced operations.
Audit / evidence tips
-
Askthe managed service register: Request a detailed list of all managed services the organisation uses
Goodwould be a comprehensive and current document that matches the services used
-
Askrecent amendments: Request any recent updates or changes made to the managed service register in the past year
Goodshows timely updates with clear reasons documented
-
Askto see the review schedule: Request a document that outlines how often the managed service register is reviewed
Goodincludes a regular schedule that ensures the register is kept current
-
Askpayment records: Request a few samples of payments made for managed services
Goodshows alignment between financial records and the services documented
-
Askbriefing reports to executives: Request a summary report provided to the executive team regarding managed services
Goodincludes evidence of regular briefings to keep leadership informed
Cross-framework mappings
How ISM-1736 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.19 | ISM-1736 requires organisations to maintain a current, verified register of managed services | |
| Annex A 5.21 | ISM-1736 requires organisations to maintain and regularly verify a register of managed services | |
| Annex A 5.22 | Annex A 5.22 requires regular monitoring, review and evaluation of supplier services and the management of changes in supplier delivery a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.