Include Break Clauses in Cloud Service Contracts
Contracts must have clauses that allow termination if security requirements aren't met by service providers.
Plain language
Imagine you're relying on a company to securely manage your important files in the cloud. What happens if they fail to protect your data? This control means you can end your contract if they don't meet their security promises. It’s important because having this safety net helps you avoid bigger issues if things go wrong.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers.
Why it matters
Without break clauses tied to unmet security requirements, you may be locked into a non-compliant cloud provider, extending breach exposure and increasing legal and reputational risk.
Operational notes
Review cloud contracts to ensure break clauses explicitly cover failure to meet security requirements, define triggers/evidence, and specify termination or remediation timeframes.
Implementation tips
- Business managers should work with legal experts to ensure the contract with your cloud service provider includes clear terms about data security expectations. Draft these terms with precise language that specifies the security standards required, such as data encryption and regular audits.
- Procurement officers should collaborate with IT and security teams to identify potential risks associated with the service provider. Conduct a risk assessment to understand where the provider might fall short and ensure these risks are addressed in the break clauses of the contract.
- Legal advisors must review current cloud service contracts to check for existing security clauses. They can update the contracts by adding break clauses that specify actions, like terminating the contract if the provider fails to comply with the agreed security measures.
- Business owners should set up regular meetings with the cloud service provider to review compliance with security clauses. In these meetings, go through the provider's performance reports to verify they are upholding their security commitments.
- HR and training managers should provide education sessions for staff involved in managing cloud services. Teach them about the importance of break clauses and how to monitor contracts for any security compliance issues.
Audit / evidence tips
- AskThe signed cloud service contract GoodShows clear, signed clauses that articulate the right to terminate the contract if security promises aren't met
- GoodIncludes these risks being directly addressed in the contract's break clauses
- AskEvidence of periodic compliance meetings GoodShows regular, documented meetings where security compliance is reviewed
- GoodIncludes consistent or exceeding results with action items if standards were not met
- AskTraining records for relevant staff GoodShows thorough training that includes examples of how to handle non-compliance
Cross-framework mappings
How ISM-1804 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1804 relates to contractual break clauses for cloud service security non-compliance | |
| Annex A 5.20 | Annex A 5.20 requires organisations to agree on information security requirements with suppliers | |
| link Related (1) expand_less | ||
| Annex A 5.21 | Annex A 5.21 addresses end-to-end management of ICT supply chain security risks via defined processes and procedures | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.