Maintain a Comprehensive Managed Service Register
Keep a detailed register of all managed services, including providers, purpose, data sensitivity, assessment schedules, and contacts.
Plain language
This control is about keeping an organised list of all the outside services you use for things like cloud storage or IT support. It matters because if you don’t know who is managing your important data and when their security was last checked, you might miss a critical issue that could lead to a data breach or service interruption.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Topic
Managed ServicesOfficial control statement
A managed service register contains the following for each managed service: - managed service provider's name - managed service's name - purpose for using the managed service - sensitivity or classification of data involved - due date for the next security assessment of the managed service - contractual arrangements for the managed service - point of contact for users of the managed service - 24/7 contact details for the managed service provider.
Why it matters
Without a managed service register, provider contacts, contracts and assessment due dates are missed, raising unmanaged service and data breach risk.
Operational notes
Keep a register per service: provider, purpose, data classification, contract, user POC, 24/7 contacts, and next assessment due date; update on change.
Implementation tips
- The office manager should create a list of all managed services the organisation uses. They can start by going through invoices or contracts because these documents usually list the service providers and what they do for the company.
- The IT team should assess the sensitivity of the data handled by each service. They can do this by considering what kind of information each service manages, such as personal client details or financial records, and categorise it accordingly.
- The procurement team should ensure that contractual details are well-documented in the register. They should include info like contract start and end dates, renewal terms, and any clauses about data protection to keep track of important deadlines and responsibilities.
- Each managed service should have a designated point of contact within the organisation. Managers should assign this role and record contact details in the register so there's a clear person responsible for communication about each service.
- The IT team should schedule regular security assessments for each managed service. This can be done by setting calendar reminders to review the provider’s security measures and ensuring they meet the organisation’s standards.
Audit / evidence tips
- AskThe managed service register: Request a copy of the current register listing all managed services GoodWill show a detailed and up-to-date record with clear contact points for each service
- AskData sensitivity classifications: Request documentation showing how data handled by each service is classified GoodWill have a clear explanation and classification for each type of data handled by the service
- AskThe security assessment schedule: Request the timetable or reminders for the next security checks on each service GoodWill show a documented schedule, ensuring ongoing oversight
- AskEvidence of contractual arrangements: Request sight of current contracts with each service provider GoodWill include contracts with clear terms and up-to-date validity
- AskWho the internal points of contact are: Request identification of the staff responsible for each service GoodWill show named individuals for each service with their responsibilities clearly defined
Cross-framework mappings
How ISM-1737 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.9 | Annex A 5.9 requires maintaining an inventory of information and associated assets, including ownership | |
| handshake Supports (3) expand_less | ||
| Annex A 5.19 | ISM-1737 requires organisations to maintain a comprehensive managed service register capturing provider details, purpose, data sensitivit... | |
| Annex A 5.20 | ISM-1737 requires documenting contractual arrangements for each managed service in a managed service register, along with who to contact ... | |
| Annex A 5.22 | ISM-1737 requires a managed service register that includes, for each service, the due date for the next security assessment and 24/7 prov... | |
| link Related (1) expand_less | ||
| Annex A 5.21 | Annex A 5.21 requires defined processes and procedures to manage information security risks associated with ICT supply chain products and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.