Identify Multiple Suppliers for Critical IT Sourcing
Ensure multiple suppliers are considered for sourcing essential IT systems and services to reduce supply chain risks.
Plain language
When sourcing critical IT systems and services, it's important to have multiple suppliers lined up. This helps to protect against risks like a supplier going out of business or being unable to meet your needs, which could seriously disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Multiple potential suppliers are identified for sourcing critical operating systems, applications, IT equipment, OT equipment and services.
Why it matters
Relying on a single supplier for critical IT services can severely disrupt operations if they fail to deliver, increasing supply chain risks.
Operational notes
Maintain at least two viable suppliers for critical OS/apps/equipment/services, and periodically reassess capability, lead times and financial viability.
Implementation tips
- The procurement team should identify a list of potential suppliers for crucial IT components, such as operating systems and hardware. They can start by researching and contacting various vendors to understand their capabilities and offerings.
- The IT manager should develop a checklist of the criteria that suppliers need to meet. This might include reliability, cost, and the ability to meet future demands. They can gather this information through meetings and proposals from each supplier.
- The finance department should evaluate the financial stability of potential suppliers. This can be done by reviewing credit reports or financial statements to ensure they are viable long-term partners.
- The legal team should draft contracts with alternative suppliers to prepare for any disruptions. This involves creating agreements that outline terms of service and contingencies in case the primary supplier fails to deliver.
- Management should ensure regular reviews of supplier performance. This can be done by setting up quarterly meetings where suppliers' service levels and any issues are discussed and documented.
Audit / evidence tips
-
Aska list of potential suppliers: Request documentation showing different vendors considered for sourcing IT systems and services
Goodincludes a dated list with summary evaluations for each supplier
-
Asksupplier vetting criteria: Request details on the standards used to evaluate potential suppliers
Goodincludes documented criteria covering reliability, cost, and support capabilities
-
Askcontracts or agreements: Request copies of any prepared or signed contracts with alternative suppliers
Goodshows thorough, updated agreements with key failure scenarios covered
-
Askfinancial reviews of suppliers: Request documentation of financial health checks performed on vendors
Goodhas recent and detailed financial assessments attached
-
Askrecords of supplier performance reviews: Request minutes or summaries from meetings about supplier performances
Goodincludes recent reviews with action points and improvements
Cross-framework mappings
How ISM-1788 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1788 requires organisations to identify multiple potential suppliers for critical operating systems, applications, IT/OT equipment, a... | |
| Annex A 5.21 | ISM-1788 requires organisations to identify multiple potential suppliers for critical ICT/OT products and services to reduce concentratio... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.20 | ISM-1788 requires organisations to identify multiple potential suppliers for critical systems and services to reduce supply chain depende... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.