Develop and Maintain Supplier Management Policy
Ensure a policy is in place for managing relationships with suppliers in a consistent manner.
Plain language
This control is about having a clear policy on how your organisation manages its relationships with suppliers. Imagine running a business where each supplier does their own thing without clear guidelines from you - it can lead to misunderstandings, missed expectations, or even security risks if they're handling sensitive information. A good policy keeps everyone on the same page and ensures your organisation doesn't get caught off guard by supplier issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Official control statement
A supplier relationship management policy is developed, implemented and maintained.
Why it matters
Without a supplier relationship management policy, third-party access and contract requirements may be inconsistent, increasing data leakage and service outage risk.
Operational notes
Define supplier due diligence, contract security clauses, third-party access approvals and offboarding steps; review the policy regularly to reflect supplier and risk changes.
Implementation tips
- Procurement team should develop a supplier management policy: Gather your team and draft a document that outlines how your organisation will manage and interact with suppliers. Include criteria like performance expectations, data security requirements, and contract terms.
- Managers should identify key suppliers: Review all current suppliers and assess their importance to your organisation. Focus on those whose failure would significantly impact your business operations or security.
- HR and IT departments should work together: Ensure the policy includes training for employees responsible for supplier relations. This can be achieved by creating a training schedule and inviting experts to explain the expectations and guidelines clearly.
- The legal team should review contracts: Check that all supplier agreements comply with the new policy. Amend contracts to clearly state data protection requirements and performance metrics as necessary.
- The leadership team should periodically review the policy: Schedule regular meetings, perhaps quarterly, to discuss any changes needed in the policy due to changes in business goals or external factors like new regulations.
Audit / evidence tips
- AskThe supplier management policy document: Request to see the formal document outlining the policy GoodShows step-by-step management processes and expectations in plain language
- AskA list of key suppliers: Request documentation showing identified priority suppliers GoodWill explain the criteria for their selection and prioritisation
- AskTraining records: Request records showing attendance and material used in training sessions related to supplier management GoodIncludes participant names, dates, and summary of what was covered
- AskA sample supplier contract: Request a copy of a supplier contract with data security clauses GoodWill include clauses directly linking back to the policy
- AskMeeting minutes on policy reviews: Request notes or minutes from the leadership meetings about policy reviews GoodShows documented decisions and reasoning for any modifications
Cross-framework mappings
How ISM-1785 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.19 | Annex A 5.19 requires defined and implemented processes and procedures to manage information security risks from suppliers’ products and ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.20 | ISM-1785 requires an organisation to establish and maintain a supplier relationship management policy | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 10.3 | Annex A 10.3 requires the organisation to establish a process ensuring its use of supplier-provided services/products/materials for AI al... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.