Maintain an Approved Supplier List
Ensure a list of approved suppliers is created, used, and kept updated.
Plain language
Having an approved supplier list is about knowing which companies or service providers are safe and reliable to work with. This matters because using an unapproved supplier could mean dealing with poor service, delays, or even giving sensitive information to the wrong people, potentially harming your organisation's reputation and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
An approved supplier list is developed, implemented and maintained.
Why it matters
Without an approved supplier list, organisations may onboard unvetted vendors, increasing supply-chain risk, breaches, and disruptions.
Operational notes
Maintain an approved supplier list by adding security/compliance checks, periodic reviews, and removing suppliers that fail reassessment.
Implementation tips
- Managers should create a list of suppliers that the organisation can safely use. Start by gathering recommendations from staff who regularly deal with suppliers, then review their past performance and reliability.
- The procurement team should check and update this supplier list regularly. This can be done by scheduling quarterly reviews and confirming that each supplier continues to meet the organisation's standards.
- Before adding a new supplier to the list, procurement officers should do a background check. This might involve reviewing their financial stability, checking references from other clients, and ensuring they comply with any relevant industry standards.
- Ensure all staff know to only use suppliers from the approved list. Train employees by providing an overview of the approved supplier list during staff meetings and reminding them of the importance of using these trusted partners.
- The finance department should monitor all invoices to ensure payments are only made to approved suppliers. This can be done by cross-referencing every invoice received with the approved supplier list before payment is authorised.
Audit / evidence tips
- AskThe current approved supplier list: Request the document or system where this list is maintained GoodA comprehensive, up-to-date list with recent review dates and correct contact information
- AskDocumentation of the supplier approval process: Request to see records of how suppliers are assessed and approved GoodClear records showing assessment criteria and approval based on objective, well-documented standards
- AskRecords of quarterly reviews of the supplier list: Request documents showing when the last reviews took place and by whom GoodDated records of regular reviews showing updates made or confirmations that the list remains current
- AskStaff training records about supplier use: Request documents or logs of training sessions where employees were informed about the supplier list GoodRecent training logs showing wide attendance and clear emphasis on using only approved suppliers
- AskA sample of recent supplier invoices: Request copies of invoices from the past few months GoodInvoices that all map back to the approved supplier list, demonstrating correct procurement practices
Cross-framework mappings
How ISM-1786 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.19 | ISM-1786 requires an organisation to develop, implement and maintain an approved supplier list | |
| Annex A 5.20 | ISM-1786 requires an organisation to maintain an approved supplier list to control which suppliers can be engaged | |
| Annex A 5.21 | ISM-1786 requires an organisation to create and maintain an approved supplier list to control supplier engagement | |
| Annex A 5.22 | ISM-1786 requires an organisation to implement and maintain an approved supplier list | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.