Ensure Regular Verification of Service Provider Security
Organisations must regularly check that service providers meet agreed security standards.
Plain language
You need to regularly check that your service providers are keeping up their end of the deal when it comes to security. This is important because if they slip up, it could mean data leaks, financial loss, or damage to your reputation. Without these regular check-ins, you could be caught off guard by security issues that harm your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis.
Why it matters
If provider compliance isn’t regularly verified against contract security requirements, control gaps can persist, leading to data compromise and loss of trust.
Operational notes
Maintain an ongoing schedule to exercise contractual audit/assurance rights (e.g., attestations or audits), and record evidence, findings and remediation actions.
Implementation tips
- The procurement manager should ensure that all contracts with service providers include a clause allowing for regular security audits. Assemble a checklist of security standards agreed upon during contract negotiations and include these in the contracts.
- An IT team member should set a schedule for conducting security reviews with each service provider. Mark these dates on a shared calendar and ensure each provider is notified in advance to prepare necessary documentation and access.
- The security officer should conduct these audits or reviews of service providers. Use a clear checklist of agreed security measures and confirm that the provider meets each requirement during the review process.
- The business owner or manager should review the results of these security audits with the IT team or security officer. Ensure there is a discussion about any weaknesses found and agree on steps the service provider must take to improve.
- An HR or leadership team member should be tasked with supporting the ongoing relationship with service providers. Regularly engage with providers to remind them of their security obligations and reinforce the importance of meeting these standards.
Audit / evidence tips
-
Askthe service provider audit schedule: Request the document outlining planned audits with service providers
Goodwill show a clear schedule of audits with named responsible parties
-
Askcontracts or agreements with service providers: Review these documents to ensure they include clauses about security audits and compliance checks. Good contracts will clearly state the frequency and scope of audits and provider obligations
-
Goodreport will be thorough, identifying any compliance failures and suggesting improvements
-
Askrecords of communication with service providers
-
Askdocumented follow-ups on any security failures
Cross-framework mappings
How ISM-1738 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.20 | Annex A 5.20 requires relevant information security requirements to be established and agreed with each supplier based on the relationshi... | |
| sync_alt Partially overlaps (4) expand_less | ||
| Annex A 5.19 | ISM-1738 mandates regular verification of service provider compliance with contracted security requirements | |
| Annex A 5.21 | ISM-1738 requires regular, ongoing verification of service providers against contractual security requirements | |
| Annex A 5.22 | Annex A 5.22 requires organisations to monitor and evaluate supplier practices and service delivery, including managing change | |
| Annex A 5.36 | Annex A 5.36 requires organisations to regularly review compliance with information security policies, rules and standards | |
| handshake Supports (2) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires that security requirements for network services are identified and that implemented mechanisms and service levels a... | |
| Annex A 8.30 | Annex A 8.30 requires directing, monitoring and reviewing outsourced system development activities on an ongoing basis | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.