Notify Significant Changes to Service Provider Agreements
Service providers must inform clients at least one month in advance of major changes to their contracts.
Plain language
This control means that your service providers, like those who manage your IT or cloud services, need to tell you at least a month before they make big changes to your contract. This matters because if something important changes without you knowing, you might get unpleasant surprises that could disrupt your business or increase your costs unexpectedly.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A minimum notification period of one month by service providers for significant changes to their own service provider arrangements is documented in contractual arrangements with service providers.
Why it matters
Without at least one month’s notice of significant subcontractor/arrangement changes, agencies may face service disruption, compliance gaps and unplanned costs.
Operational notes
Include contract clauses requiring service providers to give a minimum one‑month notice of significant changes to their own provider arrangements, and track notifications.
Implementation tips
- Procurement teams should ensure contracts include a clause about advance notice for contract changes. When negotiating or reviewing contracts with service providers, include a requirement that any significant changes must be communicated at least one month in advance, ensuring transparency and time to make necessary adjustments.
- Managers should maintain a calendar with contract renewal and review dates. Use this calendar to schedule reminders a month before potential contract changes, so the team can review potential impacts and prepare effectively.
- Service providers must establish a formal process to notify clients of upcoming changes. Design a simple communication plan that uses email or letter to inform clients at least a month beforehand, highlighting specific changes and their implications.
- Legal teams should review and approve any contract updates or amendments from service providers. Prior to accepting changes, check the contract modifications align with your organisation’s needs and verify the notification period requirement is met.
- IT teams should assess how proposed changes might impact services. Whenever a notice of change is received, evaluate the potential effects on operational systems and collaboratively plan any required adaptations with relevant stakeholders.
Audit / evidence tips
-
Aska copy of the service provider contract. Review the section detailing change notification terms, focusing on whether a one-month advance notice clause is included
Goodwill show a clear clause specifying the notification period and agreement conditions
-
Goodindicates that all significant changes were communicated at least one month in advance
-
Aska calendar or log of contract review dates. Investigate if there are regular reminders set for contract renewals and updates
Goodshows a systematic and timely approach to review processes, ensuring preparedness for upcoming changes
-
Goodoutlines a structured process that considers contractual requirements and business impacts
-
Askto see communication records related to service provider changes
Goodincludes clear, timely communication with relevant parties about upcoming changes and their implications
Cross-framework mappings
How ISM-1794 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.19 | ISM-1794 requires contractual terms that compel service providers to give at least one month’s notice before significant changes to their... | |
| Annex A 5.20 | ISM-1794 requires organisations to document a minimum one-month notification period for significant supplier-side arrangement changes wit... | |
| Annex A 5.22 | ISM-1794 requires suppliers to provide at least one month’s notice of significant changes to their own downstream service provider arrang... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.