Regular Assessment of Managed Service Providers
Managed service providers must be assessed for security compliance every 24 months.
Plain language
Managed service providers should have their security measures checked at least every two years to ensure they protect your data properly. If this isn't done, your confidential information might be at risk, leading to things like data breaches or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S
ISM last updated
Nov 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Managed service providers and their non-classified, OFFICIAL: Sensitive, PROTECTED and SECRET managed services undergo an Infosec Registered Assessor Program (IRAP) assessment, using the latest release of the ISM available prior to the beginning of the IRAP assessment (or a subsequent release), at least every 24 months.
Why it matters
Without a 24‑monthly IRAP assessment against the latest ISM, MSP services may drift from ISM requirements, increasing risk of data compromise.
Operational notes
Book IRAP assessments for each MSP-managed service at least every 24 months and require assessors to use the latest ISM release available before assessment start.
Implementation tips
- Procurement should update contracts with service providers: Include a section that requires the provider to undergo these regular IRAP assessments. Ensure all parties understand this is a non-negotiable part of the contract terms.
- IT team should collaborate with service providers: Work closely with them to understand current security measures and prepare for the assessment. This includes setting up a timeline and ensuring all necessary documents and access to systems are ready for the assessor.
- Management should monitor the assessment process: Keep an eye on the assessment progress and ensure it is completed on schedule. Follow up on any issues identified during the assessment to ensure they are addressed promptly.
- HR should brief staff on the importance of regular assessments: Host information sessions or distribute materials explaining why these security checks are crucial. This helps build a culture of security awareness within the team.
Audit / evidence tips
- AskThe IRAP assessment report: Request the most recent document from your service provider showing the results of their security check GoodIncludes a recent date, issues identified, and a plan for addressing them
- AskThe service contract: Request the contract that includes a clause mandating regular IRAP assessments GoodIncludes clear assessment terms and signed acceptance by both parties
- AskEvidence of issues being addressed: If past assessments found problems, request documentation showing how these were fixed GoodShows resolved issues with recent verification checks
- AskInternal meeting notes: Request documentation of meetings between your team and the service provider preparing for the assessment GoodIncludes scheduled preparation steps with responsible persons noted
- AskStaff training materials: Request any materials used to educate staff on the importance of these assessments GoodIncludes timely distribution and clear, comprehensible content
Cross-framework mappings
How ISM-1793 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.35 | ISM-1793 requires an independent IRAP assessment of managed service providers and their services at least every 24 months, using the late... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.19 | ISM-1793 requires managed service providers (and their managed services up to SECRET) to undergo an IRAP assessment against the latest IS... | |
| Annex A 5.20 | ISM-1793 requires periodic IRAP assessments of managed service providers against the ISM to maintain assurance over their security compli... | |
| Annex A 5.22 | ISM-1793 mandates periodic (24‑monthly) IRAP assessments of managed service providers against the ISM to provide assurance of their secur... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.